CSRF Protection on GET and POST requests
|Knowledge Article Number||000230653|
To protect against cross site request forgeries, take advantage of the new default CSRF settings to improve organizational security. These two settings are enabled by default for all organizations since Spring '14:
|Resolution||How do these settings improve organizational security?
Protects against Cross Site Request Forgery (CSRF) attacks by modifying non-setup pages to include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters and doesn’t execute the command unless the value found matches the expected value.This setting is selected by default for all organizations.
Alternatively, customer with business justification can have these options disabled by contacting Salesforce Support.
Modify Session Security Settings
Secure Coding Cross Site Request Forgery
Cross-Site Request Forgery (CSRF)