Cross-Site Request Forgery (CSRF) is a malicious technique in which unauthorized commands are crafted (by a script or a page link, for example) to be sent by a user to a website that has been authenticated.
These options protect against CSRF attacks by modifying the non-setup pages to include a random string of characters in the URL parameters or as a hidden embedded field. The system then verifies this string of characters and only executes the command if the value matches the expected value. There are various features that can be used to set protection against CSRF attacks as per the upcoming sections.
Enable CSRF protection on GET requests on non-setup pages
The Enable CSRF protection on GET requests on non-setup pages option protects against CSRF attacks on GET requests on non-setup pages. It is enabled by default and can only be disabled by sending a request to salesforce.com support.
Enable CSRF protection on POST requests on non-setup pages
The Enable CSRF protection on POST requests on non-setup pages option protects against CSRF attacks on POST requests on non-setup pages. It is enabled by default and can only be disabled by sending a request to salesforce.com support.