Allow CSRF Protection on GET Requests to Visualforce Pages (Critical Update)

This critical update makes it possible to enable CSRF checks for GET requests on Visualforce pages, and might break links to existing Visualforce pages.

When creating a Visualforce page in Setup, you can select Require CSRF Protection on GET requests. This option adds an extra layer of security to your Visualforce page that guards against cross-site request forgery (CSRF). This critical update gives you the option of enabling CSRF protection on Visualforce pages, but it does not automatically enable protection on every page. Previously, this option only had an effect when applied to Visualforce pages used for delete action overrides.

In general, a POST request from a Visualforce page submits data, while a GET request asks for data. POST requests always have CSRF protection. This critical update gives you the option of ensuring that Visualforce pages receive a CSRF token with a GET request.

When this option is enabled for a Visualforce page, you can’t access the page by entering its URL—/apex/PageName. Also, plain links to that page using <a> tags don’t work. If you try to access a Visualforce page with CSRF protection enabled, the page doesn’t load and you get an error.

Plain links from a page with CSRF checks work, but links to the page do not. For example, if your page has the name PageName, the link <a href="/apex/PageName">Link</a> doesn’t work. Instead, use the URLFOR() formula function, the $Page global variable, or the apex:outputLink component.

<apex:outputLink value="/apex/PageName">Link using apex:outputlink</apex:outputlink>
<a href="{!$Page.PageName}">Link using $Page</a>
<a href="{!URLFOR($Page.PageName)}">Link using URLFOR()</a>
CSRF checks on GET requests also affect how Visualforce pages are referenced from Apex controllers. Methods that return the URL of CSRF-protected pages for navigation don’t work:
public String getPage(){
  return '/apex/PageName'; 
}
Instead, use methods that return a reference to the Visualforce page instead of the URL directly.
public class customController {
    public PageReference getPage() {
    return new PageReference('/apex/PageName'); 
  }

  public PageReference getPage1() {
    return Page.PageName; 
  }
}

When you use one of these methods to link to a page, Visualforce adds the required CSRF token to the URL. These are the preferred methods for linking to Visualforce pages, regardless of whether CSRF protection is enabled for the page. You can use only these methods to add a CSRF token to a URL for a Visualforce page.

Test This Critical Update

This update is enabled everywhere on the auto-activation date, June 11, 2017. We recommend that you test your Visualforce code in a Developer Edition org before then and verify that links to all your Visualforce pages using CSRF protection still work. If you must work in your production org, do so during off-peak hours.

  1. From Setup, enter Critical Updates in the Quick Find box, and then select Critical Updates.
  2. For “Allow CSRF Protection on GET Requests to Visualforce Pages”, click Activate.
  3. Test links to any Visualforce pages that have CSRF protection on GET requests enabled.