Loading

Visualforce page called from Hyperlink formula fails because of CSRF token

Publiceringsdatum: May 1, 2026
Beskrivning

When a Salesforce Visualforce page is called directly from a Hyperlink formula field using the HYPERLINK() function, the page may fail with the following error:
"The link you followed isn't valid. This page requires a CSRF confirmation token."


This occurs because Visualforce pages with Cross-Site Request Forgery (CSRF — a web security mechanism that prevents unauthorized commands from being submitted on behalf of a user) protection enabled require a valid CSRF token in the request. When a Visualforce page is accessed via a formula field hyperlink, no CSRF token is included in the request URL, which causes the page to reject the request.


Example formula field that triggers this error: HYPERLINK("/apex/MainPage", "vfpage", "_blank")

 

Lösning

The recommended workaround is to create an intermediate Visualforce page with CSRF protection disabled. This intermediate page uses an Apex controller action to redirect the user to the target Visualforce page, which can retain CSRF protection.

How the Workaround Works

The solution involves three components:

  1. Update the HYPERLINK formula to point to the intermediate Visualforce page (which has CSRF protection off).
  2. The intermediate Visualforce page uses an action attribute bound to an Apex method on page load.
  3. The Apex method returns a PageReference that redirects the user to the actual target Visualforce page.

This approach means the formula link opens a Visualforce page without CSRF protection, which then securely redirects to the target page that can maintain CSRF protection.

Implementation Steps

Step 1: Update the formula field to point to the intermediate page: HYPERLINK("/apex/NavigatingPage", "vfpage", "_blank")
Step 2: Create the intermediate Visualforce page (NavigatingPage) with CSRF protection disabled. Set the action attribute to call an Apex method on load. The Apex controller method (e.g., Router) should return a PageReference pointing to /apex/MainPage.
Step 3: Ensure the target Visualforce page (MainPage) retains CSRF protection on GET requests.


VF Page:

<apex:page controller="Navigating" action="{!Router}"> 
</apex:page>


APEX  Class:

public class Navigating{ 
   public PageReference Router() 
  { 
     return new PageReference('/apex/MainPage'); 
   } 
}


Main VF page with CSRF Enabled:

<apex:page > 
  Page With "CSRF protection on GET requests" Enabled 
</apex:page>

 

Knowledge-artikelnummer

000383876

 
Laddar
Salesforce Help | Article