Cross-Site Request Forgery (CSRF) Protection Control

Control Name

CSRF Protection

Recommended Configuration

• Enable CSRF protection on GET requests on non-setup pages
• Enable CSRF protection on POST requests on non-setup pages

Setup>Session Settings>Cross-Site Request Forgery (CSRF) Protection>Enable all options.

Control Overview

Enabling CSRF Protection in Salesforce session settings secures your environment by injecting a unique, cryptographically random token into every state-changing request (such as POST) on non-setup pages.

The platform then validates this token against the user's active session to ensure the request originated from a legitimate user interaction, effectively preventing malicious websites from tricking a browser into executing unauthorized commands on the user's behalf.

Security Risk If Not Configured

Disabling CSRF Protection leaves your Salesforce environment vulnerable to Cross-Site Request Forgery (CSRF) attacks, where a malicious website can trick a user's browser into executing unauthorized, state-changing commands—such as deleting records or modifying security settings—without their knowledge. Because these requests inherit the permissions of the authenticated user, an attack against an administrative account could result in a total compromise of the organization's data and configuration.

Threat Scenarios

In a typical threat scenario, an attacker tricks an authenticated Salesforce user into visiting a malicious website or clicking a link that triggers a hidden, cross-site request to your Salesforce instance.

Since the browser automatically includes the user's active session cookies, Salesforce—lacking a valid anti-CSRF token to verify the request's origin—legitimately executes the command, potentially allowing the attacker to delete records, modify security configurations, or escalate their own privileges without the user’s knowledge.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

The risk impact encompasses a total compromise of data confidentiality and integrity, where unauthorized actors can execute administrative actions or harvest sensitive information, leading to catastrophic financial, legal, and reputational damage.

Higher Risk When

Beyond the settings already discussed, misconfigurations like disabling "Lock sessions to the IP address from which they originated" and "Enable clickjack protection" significantly amplify your risk profile.

Without IP locking, a hijacked session ID or data harvested from a browser's persistent cache can be used by an attacker from any location, while disabled clickjack protection allows malicious sites to overlay invisible frames on your Salesforce org, tricking users into performing actions that bypass CSRF safeguards. Furthermore, maintaining long session timeouts or failing to "Force logout on session timeout" extends the window of opportunity for an attacker to exploit these vulnerabilities on unattended or shared workstations.

Low or No Risk When

To minimize these risks when primary session or cache controls are missing, implementation of Multi-Factor Authentication (MFA) and IP Range Restrictions to ensure that even if a session is hijacked or cached data is exposed, it cannot be easily utilized from an untrusted device or location.

Additionally, using Salesforce Shield Event Monitoring and strict Object/Field-Level Security allows you to detect anomalous data exports in real-time while ensuring that server-side permissions prevent unauthorized actions even if a front-end CSRF or cache-based attack is attempted.

Business and Integration Considerations

Implementing these controls requires balancing enhanced security with system interoperability, as strict CSRF and session enforcement can disrupt legacy integrations, third-party iFrames, or custom API workflows that do not natively handle automated security tokens.

Recommended Remediation

Enable CSRF protection in session settings.

Security Health Review Guidance

Security Health Review inspects the session settings to verify the Cross-Site Request Forgery protection is enabled in alignment with security best practice.