Clayton

Detect secrets such as tokens, API keys, certificates or similar that have been hardcoded in Apex, Aura or Lightning Web Components.

Hardcoded secret

Detect instances in which users password are programmatically set.

Passwords set programmatically

Detect direct access to HTTP Referer Headers

Avoid Using HTTP Referer Headers

Detect Flows without any access restriction (either by a profile nor by a permission set).

Flow Access Restriction

Detect instances in which is possible to send emails without any control, straight invokable from end users.

Email spamming risk

Insecure sharing to external users

Server-side Payload Injection

User Registration Without Limits

Detect components that are vulnerable to Clickjacking.

LWC Clickjacking on CSS

Import of sensitive fields in Lightning Web Components (LWC)

Detect LWC templates that use direct DOM manipulation and bypass the secure Shadow DOM provided by the Lightning Web Components

Direct DOM manipulation in Lightning Web Components (LWC)

Detect when sensitive information like tokens, secrets are stored insecurely.

Sensitive information storage

Inspect the data model definition, and ensure sensitive information isn’t logged or exposed unsafely to avoid data leaks.

Sensitive information logging

Detects the use of "ViewAllData" and "ViewAllRecords" in profiles.

Excessive data access permissions

Detect subresource integrity vulnerabilities.

Subresource integrity

Make sure that resources used by Visualforce or Lightning components are retrieved securely in accordance to your Content Security Policy.

Content Security Policy (CSP)

Ensure HTTP callouts use secured endpoints (HTTPS) to protect your application and users from attack.

Insecure endpoints

Enforce using named credentials instead of manually hard-wiring credentials when performing HTTP requests.

Named credentials

Detect uses of cryptography with hard-wired keys, so that the security of encrypted data is not compromised.

Randomization of cryptographic keys

Keep client-side storage without sensitive data.

Use of Session storage and Local storage

Detect uses of GETSESSIONID() or $API.Session_Id in Visualforce.

Use of Session ID in Visualforce

Lorenzo Frattini

Gabriele Gallo Stampino

Security best practices

Home

Find answers and get help from Intercom Support and Community Experts

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Title

Track the progress of all tickets related to your company.

Tickets portal.

{assigneeName} needs more information from you