diff --git a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfCsrfRule.java b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfCsrfRule.java
index 89a4f018a1..4bf13732b5 100644
--- a/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfCsrfRule.java
+++ b/pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfCsrfRule.java
@@ -25,14 +25,19 @@ public class VfCsrfRule extends AbstractVfRule {
         if (APEX_PAGE.equalsIgnoreCase(node.getName())) {
             List<ASTAttribute> attribs = node.findChildrenOfType(ASTAttribute.class);
             boolean controller = false;
-            boolean action = false;
             boolean isEl = false;
             ASTElExpression valToReport = null;
 
             for (ASTAttribute attr : attribs) {
                 switch (attr.getName().toLowerCase()) {
                 case "action":
-                    action = true;
+                    ASTElExpression value = attr.getFirstDescendantOfType(ASTElExpression.class);
+                    if (value != null) {
+                        if (doesElContainIdentifiers(value)) {
+                            isEl = true;
+                            valToReport = value;
+                        }
+                    }
                     break;
                 case "controller":
                     controller = true;
@@ -42,15 +47,6 @@ public class VfCsrfRule extends AbstractVfRule {
 
                 }
 
-                if (action) {
-                    ASTElExpression value = attr.getFirstDescendantOfType(ASTElExpression.class);
-                    if (value != null) {
-                        if (doesElContainIdentifiers(value)) {
-                            isEl = true;
-                            valToReport = value;
-                        }
-                    }
-                }
             }
 
             if (controller && isEl && valToReport != null) {
diff --git a/pmd-visualforce/src/main/resources/rulesets/vf/security.xml b/pmd-visualforce/src/main/resources/rulesets/vf/security.xml
index 6a4bf5e7e7..d3f73ef3c7 100644
--- a/pmd-visualforce/src/main/resources/rulesets/vf/security.xml
+++ b/pmd-visualforce/src/main/resources/rulesets/vf/security.xml
@@ -7,8 +7,8 @@
 	<description>Rules concerning basic VF guidelines.</description>
 
 	<rule name="VfUnescapeEl" since="3.7"
-		message="Avoid unescaped user controlled content in EL" class="net.sourceforge.pmd.lang.vf.rule.security.VfUnescapeElRule"
-		externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfUnescapeElRule">
+	message="Avoid unescaped user controlled content in EL" class="net.sourceforge.pmd.lang.vf.rule.security.VfUnescapeElRule"
+	externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfUnescapeElRule">
 		<description><![CDATA[Avoid unescaped user controlled content in EL as it results in XSS. ]]>
 		</description>
 		<priority>3</priority>
@@ -19,7 +19,7 @@
 		</example>
 	</rule>
 
-	<rule name="VfCsrf" since="3.7" message="Avoid calling VF action upon page load"
+	<rule name="VfCsrf" since="5.6" message="Avoid calling VF action upon page load"
 		class="net.sourceforge.pmd.lang.vf.rule.security.VfCsrfRule"
 		externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfCsrfRule">
 		<description><![CDATA[Avoid calling VF action upon page load as the action becomes vulnerable to CSRF. ]]>
diff --git a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfCsrf.xml b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfCsrf.xml
index 3f7a0968eb..01bce082f8 100644
--- a/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfCsrf.xml
+++ b/pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfCsrf.xml
@@ -8,6 +8,27 @@ CSRF by starting a controller with an EL action
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
 <apex:page controller="AcRestActionsController" action="{!csrfInitMethod}" >
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>
+
+	<test-code>
+		<description><![CDATA[
+Controller without actions is perfectly safe
+     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page controller="AcRestActionsController"  >
+]]></code>
+		<source-type>vf</source-type>
+	</test-code>
+
+	<test-code>
+		<description><![CDATA[
+JS action on load is perfectly safe     ]]></description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+<apex:page controller="AcRestActionsController" action="init()" >
 ]]></code>
 		<source-type>vf</source-type>
 	</test-code>