Clayton

There are cases where developers use Visualforce or Lightning to display data derived from an SObject field in an indirect or processed form. In such scenarios CRUD and &nbsp;FLS should be manually enforced.

If your team uses utility methods to enforce CRUD/FLS checks, it's possible to configure them in Clayton to increase the accuracy of the detections.

- Visualforce pages and components
- Lightning components
- Apex classes

<a href="https://cwe.mitre.org/data/definitions/285.html" rel="nofollow noopener noreferrer" target="_blank">CWE-285: Improper Authorization</a>

<a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/" rel="nofollow noopener noreferrer" target="_blank">OWASP A01:2021 – Broken Access Control</a>

<a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/admin_fls.htm" rel="nofollow noopener noreferrer" target="_blank">Field-Level Security</a>

<a href="https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/apex_crud_fls.htm" rel="nofollow noopener noreferrer" target="_blank">Securing Data in Apex Controllers</a>

<a href="https://trailhead.salesforce.com/content/learn/modules/data_security?trailmix_creator_id=strailhead&amp;trailmix_slug=data-analytics-lead-data-architect" rel="nofollow noopener noreferrer" target="_blank">Data Security</a>

- <a href="https://cwe.mitre.org/data/definitions/285.html" rel="nofollow noopener noreferrer" target="_blank">CWE-285: Improper Authorization</a>
- <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/" rel="nofollow noopener noreferrer" target="_blank">OWASP A01:2021 – Broken Access Control</a>
- <a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/admin_fls.htm" rel="nofollow noopener noreferrer" target="_blank">Field-Level Security</a>
- <a href="https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/apex_crud_fls.htm" rel="nofollow noopener noreferrer" target="_blank">Securing Data in Apex Controllers</a>
- <a href="https://trailhead.salesforce.com/content/learn/modules/data_security?trailmix_creator_id=strailhead&amp;trailmix_slug=data-analytics-lead-data-architect" rel="nofollow noopener noreferrer" target="_blank">Data Security</a>

Ensure that CRUD permissions and Field-Level Security are enforced in Visualforce and Lightning, to avoid exposing sensitive data.

Rationale

Additional settings

Scope

See also