FAQ Enhancement Tool (Prototype)

AI Application Development and Packaging

FAQ-000001 ✓ Has Recommendations - What are the security considerations and requirements when building, packaging, and reviewing applications that use AI features like Einstein Copilot?

Third-Party AI Libraries and Tools

FAQ-000008 ✓ Has Recommendations - How does using third-party AI libraries, tools, and machine learning models affect the security review process and what are the requirements for manag...

Cookie Security

FAQ-000044 ✓ Has Recommendations - What are the requirements for cookie SameSite attributes in cross-site integrations?

Machine-to-Machine API Security

FAQ-000046 ✓ Has Recommendations - How should machine-to-machine API endpoints be configured to meet security review requirements, and why are security headers required even for APIs th...

Security Review and Compliance

FAQ-000047 ✓ Has Recommendations - Why are API endpoints flagged for missing security headers during security review, and do security headers need to be applied to all endpoints includi...

Uncategorized

FAQ-000048 ✓ Has Recommendations - Why are API security headers required even for machine-to-machine communications?

IP Restrictions and Allowlisting

FAQ-000049 ✓ Has Recommendations - How should I handle IP allowlist restrictions and grant security reviewers access to IP-restricted API endpoints?

Security Reviewer Access Provisioning

FAQ-000050 ✓ Has Recommendations - What are the recommended approaches for providing API access to security reviewers?

Third-Party API Security Requirements

FAQ-000058 ✓ Has Recommendations - Are security scans required for third-party APIs integrated in managed packages?

Third-Party Provider Concerns and Communication

FAQ-000060 ✓ Has Recommendations - What should I do when external services are concerned about security review testing?

Automated Configuration and Remote Site Management

FAQ-000068 ✓ Has Recommendations - Is it permissible to create Remote Site Settings automatically using the Metadata API or programmatically from Apex?

Dynamic Code Generation and Deployment

FAQ-000069 ✓ Has Recommendations - What are the security requirements and restrictions for dynamically generating and deploying Apex code using the Metadata API in managed packages?

Elevated Permissions and Integration Patterns

FAQ-000070 ✓ Has Recommendations - Is it acceptable to use REST endpoints or resources with elevated permissions to allow non-admin users to perform metadata operations through integrat...

Metadata API Security and Permissions

FAQ-000071 ✓ Has Recommendations - What are the security requirements, best practices, and approved methods for using the Metadata API within managed packages?
FAQ-000072 ✓ Has Recommendations - What are the security implications of bypassing direct Metadata.Operations calls for non-admin users?

Security Review and Compliance

FAQ-000073 ✓ Has Recommendations - What documentation and best practices should be followed when applications rely on Tooling or Metadata APIs to ensure security review compliance?

Tooling API Security and Usage

FAQ-000074 ✓ Has Recommendations - What are the security considerations and best practices for using the Tooling API in managed packages, including with Lightning Web Components and dyn...

User Access Control and Authorization

FAQ-000075 ✓ Has Recommendations - What security measures are required for @AuraEnabled methods and what are the implications of exposing metadata creation functionality to package user...

External API Integration Issues

FAQ-000076 ✓ Has Recommendations - How can I address performance issues with external API integrations during security review?

Application Classification

FAQ-000085 ✓ Has Recommendations - How do I determine if my solution qualifies as an "API-only app" for the security review submission?

Security Scan Requirements

FAQ-000088 ✓ Has Recommendations - What are the security scan requirements for API-only applications, including determining the correct scan type and requirements for applications witho...

Access Control Identification and Remediation

FAQ-000089 ✓ Has Recommendations - How do I identify and remediate access control vulnerabilities in managed package code?

AppExchange Security Compliance

FAQ-000090 ✓ Has Recommendations - How should permissions and access control be implemented for AppExchange security compliance?

Authorization Design Patterns

FAQ-000091 ✓ Has Recommendations - What are the recommended design patterns for implementing authorization and access control within an application?

Managed Package Access Control

FAQ-000092 ✓ Has Recommendations - What are the best practices for implementing access control in managed packages?

Missing Access Control Vulnerabilities

FAQ-000093 ✓ Has Recommendations - What does "Missing Access Control" vulnerability mean and how can it be mitigated?

Object-Level Access Controls

FAQ-000094 ✓ Has Recommendations - How should object-level access checks be implemented when recordId is passed from client-side components?

Alternatives to Global Access

FAQ-000095 ✓ Has Recommendations - What alternatives exist to using global access modifiers when business requirements or constraints prevent using protected or private visibility?

Balancing Security and Functionality

FAQ-000097 ✓ Has Recommendations - How do I balance security requirements with component accessibility needs and justify global access settings when necessary?

Cross-Namespace and Event Handling

FAQ-000098 ✓ Has Recommendations - How do I properly scope Lightning component access and implement event handling to avoid cross-namespace access control violations?

Uncategorized

FAQ-000103 ✓ Has Recommendations - How do I address security concerns about global access for Lightning applications?

General Integration Security Practices

FAQ-000106 ✓ Has Recommendations - How should Agentforce integrations be handled from a security perspective?

Client-Side Code Vulnerability Scanning

FAQ-000116 ✓ Has Recommendations - How can I automatically scan my client-side code for common vulnerabilities?

CRUD and FLS Enforcement

FAQ-000118 ✓ Has Recommendations - Are FLS checks required in batch job execute methods and how should they be implemented?
FAQ-000119 ✓ Has Recommendations - What is the correct syntax and implementation for isDeletable() checks in batch processing scenarios?
FAQ-000120 ✓ Has Recommendations - Under what circumstances is it acceptable for a batch Apex job to bypass CRUD/FLS checks?

Managed Package Considerations

FAQ-000121 ✓ Has Recommendations - What are the best practices for implementing batch jobs in managed packages that require elevated permissions?
FAQ-000122 ✓ Has Recommendations - What are the best practices for including a frequently running scheduled job in a managed package to avoid consuming excessive customer limits?

Performance and Best Practices

FAQ-000124 ✓ Has Recommendations - What is the best practice for handling DML and SOQL operations inside loops within a batch Apex context?

Sharing Context and Permissions

FAQ-000125 ✓ Has Recommendations - What are the best practices for managing sharing context in batch Apex classes to avoid security violations?
FAQ-000126 ✓ Has Recommendations - What is the correct approach for handling scheduled and batch classes that need elevated permissions or to run without sharing?
FAQ-000127 ✓ Has Recommendations - Are batch Apex classes invoked from PostInstall classes allowed to use "without sharing"?
FAQ-000128 ✓ Has Recommendations - What is the recommended sharing model for Apex batch jobs that need to process records regardless of ownership or perform maintenance tasks?
FAQ-000129 ✓ Has Recommendations - When is it acceptable for batch processes to bypass user permissions for business logic requirements?

Test Context and Permission Handling

FAQ-000131 ✓ Has Recommendations - How can I resolve test failures caused by permission context switching in batch class execution?

WITH SECURITY_ENFORCED Implementation

FAQ-000132 ✓ Has Recommendations - How should WITH_SECURITY_ENFORCED be properly implemented in batch classes that run in different user contexts?
FAQ-000133 ✓ Has Recommendations - How should I handle test class failures with WITH SECURITY_ENFORCED in batch jobs?

Data Exposure and Shadow DOM

FAQ-000136 ✓ Has Recommendations - Will exposing data outside of a component's shadow DOM to a browser extension pass the security review?

Custom Settings and System Objects Exceptions

FAQ-000148 ✓ Has Recommendations - When is it acceptable to bypass CRUD/FLS checks on Custom Settings and system objects like PushTopic?

Generic sObject and Dynamic SOQL Challenges

FAQ-000149 ✓ Has Recommendations - What are the alternatives when proper CRUD checks cannot be implemented due to generic sObject usage?

Intentional System Context Bypass Scenarios

FAQ-000150 ✓ Has Recommendations - In which scenarios is it acceptable to intentionally bypass FLS checks and operate in a system context?

Non-Admin User Access Requirements

FAQ-000151 ✓ Has Recommendations - How do I handle CRUD/FLS requirements for objects that non-admin users need to access for application functionality?

CSRF Token Implementation and Validation

FAQ-000156 ✓ Has Recommendations - Are CSRF tokens required for external API servers that only receive GET requests from Salesforce applications?
FAQ-000157 ✓ Has Recommendations - What are the proper CSRF protection mechanisms and requirements beyond custom headers?
FAQ-000160 ✓ Has Recommendations - Is CSRF protection required for Apex callouts to external APIs, especially for GET requests?
FAQ-000161 ✓ Has Recommendations - How should CSRF tokens be properly implemented and validated in Salesforce managed packages?
FAQ-000163 ✓ Has Recommendations - Should I implement confirmation dialogs to mitigate CSRF security risks?
FAQ-000164 ✓ Has Recommendations - How do I address Anti-CSRF token issues identified by Chimera scanner?

DML Operations on Component Load

FAQ-000167 ✓ Has Recommendations - Does the platform's built-in CSRF protection apply to all pages and endpoints, or are there cases where I need custom protection?
FAQ-000168 ✓ Has Recommendations - What is the recommended way to perform a DML operation on component load without introducing a CSRF risk?
FAQ-000169 ✓ Has Recommendations - When is DML on page load considered a CSRF vulnerability versus acceptable functionality?
FAQ-000170 ✓ Has Recommendations - How can I design a quick action that performs an action immediately on load without being vulnerable to CSRF?
FAQ-000171 ✓ Has Recommendations - Why are DML operations on component load considered a CSRF vulnerability?
FAQ-000172 ✓ Has Recommendations - How can developers address CSRF vulnerabilities in quick action components that require immediate DML operations?
FAQ-000173 ✓ Has Recommendations - Can Visualforce pages with CSRF protection enabled perform DML operations on page load?
FAQ-000174 ✓ Has Recommendations - Are there any exceptions to the rule against performing DML operations on component load?
FAQ-000175 ✓ Has Recommendations - Do OAuth implementations provide sufficient security to address CSRF vulnerability concerns for DML operations during component load?
FAQ-000176 ✓ Has Recommendations - How can I perform necessary DML operations during component load while meeting security requirements?
FAQ-000177 ✓ Has Recommendations - Is it considered a CSRF vulnerability to perform a DML operation on page load for analytics or user tracking purposes?
FAQ-000178 ✓ Has Recommendations - How can I perform a required setup action automatically when a component loads without introducing a CSRF vulnerability?
FAQ-000179 ✓ Has Recommendations - Are DML operations in component initialization functions considered CSRF vulnerabilities?
FAQ-000180 ✓ Has Recommendations - How can I address CSRF issues when DML operations during component initialization are essential for functionality?
FAQ-000181 ✓ Has Recommendations - When is it acceptable to perform DML operations during component initialization for admin-level configuration checks?
FAQ-000182 ✓ Has Recommendations - What are alternatives to automatic DML operations during component load that don't require direct user interaction?
FAQ-000183 ✓ Has Recommendations - How can I implement automatic metadata synchronization without triggering CSRF violations?
FAQ-000184 ✓ Has Recommendations - How can I determine if methods called on page load will trigger CSRF violation flags during security review?
FAQ-000185 ✓ Has Recommendations - If a DML operation is performed on page load, is adding an intermediate confirmation page a sufficient fix for a CSRF vulnerability?
FAQ-000186 ✓ Has Recommendations - How can CSRF issues be resolved when DML operations occur automatically during component initialization?
FAQ-000187 ✓ Has Recommendations - Are there exceptions for performing DML on load for one-time configuration or admin-level checks?
FAQ-000188 ✓ Has Recommendations - How should CSRF vulnerabilities be addressed when components create default records automatically?
FAQ-000189 ✓ Has Recommendations - Is performing a DML operation on component load always considered a CSRF vulnerability?
FAQ-000190 ✓ Has Recommendations - What are the common causes for a 'doInit DML operation' to be flagged as a CSRF vulnerability?
FAQ-000191 ✓ Has Recommendations - Can a DML operation that only creates new, empty records on page load be considered a false positive for a CSRF vulnerability?
FAQ-000192 ✓ Has Recommendations - How can I prevent CSRF vulnerabilities when performing DML operations in component lifecycle methods like connectedCallback?
FAQ-000193 ✓ Has Recommendations - Will an @AuraEnabled Apex method that performs a DML operation on page load be flagged as a CSRF vulnerability?
FAQ-000194 ✓ Has Recommendations - What constitutes a state-changing operation that would be vulnerable to CSRF on component load?
FAQ-000195 ✓ Has Recommendations - How can I prevent CSRF vulnerabilities on a Visualforce page that performs an action upon loading?
FAQ-000196 ✓ Has Recommendations - What is the recommended way to trigger a server-side action from a component without user interaction?
FAQ-000197 ✓ Has Recommendations - What are the acceptable alternatives to automatic DML execution during component initialization?
FAQ-000198 ✓ Has Recommendations - Is executing a SOQL query or an API callout in a Visualforce page's action method considered a state-changing operation that needs CSRF protection?
FAQ-000199 ✓ Has Recommendations - How can CSRF vulnerabilities in Lightning Web Components be properly addressed when DML operations are triggered from lifecycle hooks?

General CSRF Prevention and Best Practices

FAQ-000200 ✓ Has Recommendations - How do I address CSRF vulnerabilities in my application?
FAQ-000201 ✓ Has Recommendations - What design patterns can maintain good user experience while meeting CSRF protection requirements?
FAQ-000202 ✓ Has Recommendations - How can CSRF vulnerabilities be evaluated when no actual DML operations occur on component load?
FAQ-000203 ✓ Has Recommendations - I fixed a CSRF vulnerability by replacing an automatic action on load with a user-initiated button, but this negatively impacted UX. Are there other s...
FAQ-000204 ✓ Has Recommendations - What are the best practices for preventing cross-site request forgery attacks in Salesforce integrations?
FAQ-000205 ✓ Has Recommendations - How should I address CSRF vulnerability findings in security reviews?
FAQ-000206 ✓ Has Recommendations - How should I implement CSRF protection for my application's custom pages?
FAQ-000207 ✓ Has Recommendations - How can I properly implement CSRF protection when standard solutions don't work for all use cases?
FAQ-000208 ✓ Has Recommendations - What are the security implications of logging errors in methods that could be triggered by CSRF attacks?
FAQ-000209 ✓ Has Recommendations - How should I implement error logging to avoid CSRF vulnerabilities in automatically executed code?
FAQ-000210 ✓ Has Recommendations - Can server-side logic and user permission validation justify CSRF-related security findings?
FAQ-000211 ✓ Has Recommendations - What are the complete range of solutions for addressing CSRF issues?
FAQ-000212 ✓ Has Recommendations - What are the key elements of a CSRF attack that I should be looking for in my code?
FAQ-000213 ✓ Has Recommendations - What are the security requirements for pages that perform automatic API authentication?
FAQ-000214 ✓ Has Recommendations - What are the common causes of Cross-Site Request Forgery (CSRF) vulnerabilities in applications?
FAQ-000215 ✓ Has Recommendations - What are the correct methods for implementing CSRF protection across different Salesforce contexts?

Lightning Components CSRF Issues

FAQ-000216 ✓ Has Recommendations - How should I handle CSRF vulnerabilities in Lightning Web Components?
FAQ-000218 ✓ Has Recommendations - What are the accepted methods for mitigating a CSRF vulnerability in a Lightning Web Component?

Managed Package CSRF Considerations

FAQ-000219 ✓ Has Recommendations - How should CSRF vulnerabilities be properly addressed in managed packages?
FAQ-000220 ✓ Has Recommendations - What are the most common causes of CSRF violations in managed packages?
FAQ-000221 ✓ Has Recommendations - How can I balance user experience requirements with CSRF prevention in component design?
FAQ-000222 ✓ Has Recommendations - How can I properly implement CSRF protection in custom form wizards within managed packages?
FAQ-000223 ✓ Has Recommendations - What are the recommended approaches to prevent CSRF vulnerabilities in managed packages?

Platform CSRF Protection

FAQ-000224 ✓ Has Recommendations - How does the platform handle XSRF protection, and when do I need additional measures?
FAQ-000225 ✓ Has Recommendations - Can platform-wide CSRF issues be addressed with targeted fixes for specific components?

Security Review and Documentation

FAQ-000226 ✓ Has Recommendations - Are CSRF (Cross-Site Request Forgery) vulnerabilities considered critical findings that must be fixed?
FAQ-000227 ✓ Has Recommendations - How do I properly document a false positive for a Cross-Site Request Forgery (CSRF) vulnerability?
FAQ-000228 ✓ Has Recommendations - How can I identify and fix CSRF issues that aren't clearly explained in security review reports?
FAQ-000229 ✓ Has Recommendations - When is it acceptable to perform a DML operation on page load, and how should I document this for security review?
FAQ-000230 ✓ Has Recommendations - How can I get more detailed feedback on a recurring CSRF vulnerability if the report lacks specifics?
FAQ-000231 ✓ Has Recommendations - My application requires a DML operation upon component load. How can I implement this securely and document it as a false positive for CSRF?
FAQ-000232 ✓ Has Recommendations - How can I verify that CSRF vulnerabilities have been properly addressed in my code?
FAQ-000233 ✓ Has Recommendations - Why would a CSRF vulnerability be flagged if my application's authentication is handled via OAuth?
FAQ-000234 ✓ Has Recommendations - How should I address and remediate CSRF vulnerability findings?
FAQ-000235 ✓ Has Recommendations - How can I resolve persistent CSRF vulnerabilities that aren't clearly explained in review reports?
FAQ-000236 ✓ Has Recommendations - How can I verify whether identified CSRF issues are true vulnerabilities and understand the recommended solutions?
FAQ-000237 ✓ Has Recommendations - My component was flagged for a CSRF vulnerability on load, but it does not perform any DML. How do I report this as a false positive?
FAQ-000238 ✓ Has Recommendations - My security scanner flagged a CSRF issue, but I have implemented a mitigation. How do I document this for the security review?
FAQ-000239 ✓ Has Recommendations - How can I identify and fix CSRF vulnerabilities that cause repeated security review failures?
FAQ-000241 ✓ Has Recommendations - Why would my page still be flagged for CSRF after removing the DML statement from the initial action?
FAQ-000242 ✓ Has Recommendations - How can I confirm that a potential vulnerability flagged by the scanner is a true positive for CSRF?
FAQ-000243 ✓ Has Recommendations - How can I verify that identified CSRF vulnerabilities are legitimate security concerns?

Specific CSRF Resolution Scenarios

FAQ-000244 ✓ Has Recommendations - How do I resolve violations related to DML operations triggered by page actions?
FAQ-000245 ✓ Has Recommendations - What are the common causes of Cross-Site Request Forgery (CSRF) vulnerabilities in Visualforce pages and Lightning components?
FAQ-000246 ✓ Has Recommendations - How do I resolve CSRF vulnerabilities related to DML operations that cause repeated security review failures?
FAQ-000247 ✓ Has Recommendations - How can I resolve CSRF vulnerabilities that persist after removing DML statements?
FAQ-000248 ✓ Has Recommendations - How can I address multiple security vulnerabilities including CRUD/FLS and CSRF issues?

Testing and Verification

FAQ-000249 ✓ Has Recommendations - What tools or reports can confirm CSRF protection implementation?
FAQ-000250 ✓ Has Recommendations - How do I reproduce and test for CSRF vulnerabilities in my application?
FAQ-000251 ✓ Has Recommendations - Are there specific tools or reports I can run to check for CSRF vulnerabilities?
FAQ-000252 ✓ Has Recommendations - What testing or scanning methods should I use to confirm CSRF protection is working correctly?

Uncategorized

FAQ-000253 ✓ Has Recommendations - How should developers handle CSRF token requirements for read-only API integrations?
FAQ-000254 ✓ Has Recommendations - Why is performing a DML operation on component initialization considered a CSRF vulnerability?
FAQ-000255 ✓ Has Recommendations - What are the common CSRF vulnerabilities that security reviews identify in AppExchange applications?

Visualforce CSRF Protection

FAQ-000256 ✓ Has Recommendations - How should I handle CSRF protection for detail page buttons and Lightning components?
FAQ-000257 ✓ Has Recommendations - What is the correct way to fix a CSRF vulnerability on a Visualforce page that performs a DML operation on load?
FAQ-000258 ✓ Has Recommendations - How can I protect a Visualforce page action from CSRF if using `confirmationTokenRequired="true"` is not a viable option?
FAQ-000259 ✓ Has Recommendations - Should all Visualforce pages have CSRF protection enabled regardless of DML operations?
FAQ-000260 ✓ Has Recommendations - What are the best practices for preventing Cross-Site Request Forgery (CSRF) on Visualforce pages?
FAQ-000261 ✓ Has Recommendations - What is the correct way to protect against CSRF when a Visualforce page is launched from both Lightning Components and classic buttons?
FAQ-000262 ✓ Has Recommendations - How can I properly resolve CSRF vulnerabilities in Visualforce pages and controllers?
FAQ-000263 ✓ Has Recommendations - What are the common causes of Cross-Site Request Forgery (CSRF) vulnerabilities in Visualforce pages?
FAQ-000264 ✓ Has Recommendations - How should CSRF protection be implemented across different invocation methods (inline VF, Lightning, detail buttons)?
FAQ-000265 ✓ Has Recommendations - What is the recommended way to protect Visualforce pages from Cross-Site Request Forgery (CSRF) attacks?
FAQ-000266 ✓ Has Recommendations - How do I properly resolve CSRF vulnerabilities in Visualforce controllers?

CSS Exception and Justification Processes

FAQ-000267 ✓ Has Recommendations - What alternatives exist for UX issues typically solved with fixed positioning?
FAQ-000268 ✓ Has Recommendations - What documentation and justification is needed to request exceptions for components that break standard layout guidelines?
FAQ-000269 ⚠ Error - What are the recommended alternatives for applying global CSS styles in Aura components?

Clickjacking Vulnerabilities and CSS Positioning

FAQ-000270 ✓ Has Recommendations - What are clickjacking vulnerabilities in Lightning components and how do CSS positioning properties contribute to them?
FAQ-000271 ✓ Has Recommendations - How do I resolve clickjacking vulnerabilities in Salesforce applications and managed packages?
FAQ-000272 ✓ Has Recommendations - How can setting `isExposed` to true create clickjacking vulnerabilities and what are the mitigation strategies?
FAQ-000273 ✓ Has Recommendations - What are the recommended alternatives to absolute and fixed positioning that won't trigger clickjacking concerns?
FAQ-000274 ✓ Has Recommendations - When is absolute or fixed positioning acceptable and what are the security review criteria?
FAQ-000275 ✓ Has Recommendations - How do I address clickjacking vulnerabilities for non-visible, off-screen, or non-interactive UI elements?
FAQ-000276 ✓ Has Recommendations - How do I get specific details about clickjacking vulnerabilities and implement proper CSS positioning?
FAQ-000277 ✓ Has Recommendations - What are the security implications and risks of using position: absolute or position: fixed in CSS?
FAQ-000278 ✓ Has Recommendations - How can I implement copy-to-clipboard functionality and other essential UI features without triggering clickjacking concerns?
FAQ-000279 ✓ Has Recommendations - Does using position: absolute in globally accessible vs namespaced components carry different security risks?
FAQ-000280 ✓ Has Recommendations - What are acceptable workarounds and security-compliant alternatives for clickjacking issues caused by CSS positioning?

Dynamic CSS Styling Security

FAQ-000281 ✓ Has Recommendations - When is dynamic CSS styling through getters considered a security violation and why?
FAQ-000282 ✓ Has Recommendations - Are dynamic CSS styling hooks allowed in Lightning components during security review?
FAQ-000283 ✓ Has Recommendations - How should I handle dynamic styling without using platformResourceLoader or inline styles?
FAQ-000284 ✓ Has Recommendations - What is the secure way to apply dynamic styles to components based on properties or user input?
FAQ-000285 ✓ Has Recommendations - What is the secure alternative to dynamically adding or overriding CSS styles in LWC?

General CSS Security Best Practices

FAQ-000286 ⚠ Error - How can I securely manage component styling and resolve CSS-related security issues in my application?
FAQ-000287 ⚠ Error - What are common security vulnerabilities related to CSS and how can they be resolved?
FAQ-000288 ⚠ Error - What are the specific CSS-related security requirements and restrictions for managed packages?
FAQ-000289 ⚠ Error - What constitutes proper versus problematic CSS usage in security reviews?
FAQ-000290 ✓ Has Recommendations - How should I handle CSS vulnerabilities flagged during security review?
FAQ-000291 ✓ Has Recommendations - What are the security risks of using custom CSS in Lightning components and what are the alternatives?
FAQ-000292 ⚠ Error - How can I safely override CSS styles without creating security vulnerabilities?
FAQ-000293 ⚠ Error - What alternatives exist for styling Aura components without using style tags and when should styles be moved to separate files?
FAQ-000295 ✓ Has Recommendations - How can I justify not using a static resource for CSS and what are the potential security risks?
FAQ-000296 ⚠ Error - What constitutes proper CSS implementation to avoid security review failures?

Improper CSS Loading Vulnerabilities

FAQ-000297 ⚠ Error - What constitutes proper CSS loading in Lightning components and what is the difference between using <link> tags and <ltng:require>?
FAQ-000298 ✓ Has Recommendations - How should CSS files be properly loaded in Lightning applications to pass security review?
FAQ-000299 ⚠ Error - What are "Improper CSS Load" vulnerabilities and how do I fix them?
FAQ-000300 ✓ Has Recommendations - What are the approved alternatives to dynamic styling that don't trigger "Improper Script Load" violations?
FAQ-000301 ✓ Has Recommendations - What are the best practices for loading scripts in Lightning to prevent security issues?
FAQ-000302 ⚠ Error - What is the correct way to load CSS in Aura and Lightning Web Components to avoid security vulnerabilities?
FAQ-000303 ✓ Has Recommendations - What does "CSS Outside Component" vulnerability mean and how do I fix it?
FAQ-000304 ✓ Has Recommendations - How do I ensure custom style loading fixes will be accepted in subsequent reviews?
FAQ-000305 ✓ Has Recommendations - How do I resolve "JS in Salesforce DOM" and "Lightning: Improper Script Load" issues?
FAQ-000306 ⚠ Error - What is the difference between loading CSS with `<link>`, `<ltng:require>`, and inline styles in terms of security?
FAQ-000307 ⚠ Error - What is the proper way to include external CSS in Visualforce pages to pass security review?
FAQ-000308 ⚠ Error - How can CSS files cause security review failures and what constitutes an "Improper CSS load Vulnerability"?

Inline CSS Security Issues

FAQ-000309 ✓ Has Recommendations - Are there exceptions to the rule against inline styles for specific components like email templates?
FAQ-000310 ✓ Has Recommendations - How can I justify the use of inline CSS if it is flagged as a security issue?
FAQ-000311 ✓ Has Recommendations - What are the approved alternatives to inline styles for dynamic styling in managed packages?
FAQ-000312 ✓ Has Recommendations - Why did my package fail for using inline CSS and what are the recommended alternatives?
FAQ-000313 ✓ Has Recommendations - When should styles be moved to static resources versus being inline in components?
FAQ-000314 ✓ Has Recommendations - Is the use of inline CSS always prohibited and when is it acceptable in components?
FAQ-000315 ✓ Has Recommendations - When is the use of .THIS completely prohibited in component styling?
FAQ-000316 ✓ Has Recommendations - What are the alternatives when inline CSS is necessary for functionality?
FAQ-000317 ✓ Has Recommendations - What are the security review requirements for inline styles in Aura components?
FAQ-000318 ✓ Has Recommendations - Why is using the `<aura:html tag="style">` tag for CSS considered a security risk?
FAQ-000319 ✓ Has Recommendations - What constitutes acceptable versus problematic inline CSS usage in managed packages?

Uncategorized

FAQ-000320 ✓ Has Recommendations - When did inline CSS usage become a security concern in managed packages?
FAQ-000321 ✓ Has Recommendations - What are the specific clickjacking prevention requirements for Lightning Web Components?
FAQ-000322 ✓ Has Recommendations - How can I implement fixed positioning components that comply with security requirements?

Prevention in Data Export Features

FAQ-000323 ✓ Has Recommendations - How do I prevent CSV Injection vulnerabilities in my application's data export features?

CTI Security Review Requirements

FAQ-000326 ✓ Has Recommendations - What are the security review requirements for CTI integrations and their technology stacks?

S3 Access Control and Authorization

FAQ-000345 ✓ Has Recommendations - How can unauthorized access to S3 objects be properly secured and addressed?

Code Quality vs Security Review Requirements

FAQ-000346 ✓ Has Recommendations - Are code quality issues required to be fixed for security review approval, and what resources are available for understanding and resolving them?

Code Structure and Best Practices

FAQ-000347 ✓ Has Recommendations - How should I structure DML operations to avoid "DML inside loop" violations when using lists?

Customer Impact and Breaking Changes

FAQ-000350 ✓ Has Recommendations - What should I do if fixing a security vulnerability would introduce a breaking change for my existing customers?
FAQ-000351 ✓ Has Recommendations - How can developers address minor security issues while maintaining package approval status?

Generated and Third-Party Code Responsibility

FAQ-000354 ✓ Has Recommendations - Am I responsible for fixing security issues that are not part of my custom code?

Specific Security Recommendations and Requirements

FAQ-000355 ✓ Has Recommendations - If the code analyzer suggests using Named Credentials, is this a mandatory requirement to pass the security review?

Static Analysis Tool Issues and Fixes

FAQ-000356 ✓ Has Recommendations - What are the most common issues flagged by static analysis tools and how are they typically fixed?
FAQ-000357 ✓ Has Recommendations - Do code quality issues from static analysis tools need to be fixed for security review, and are they treated as security concerns?
FAQ-000358 ✓ Has Recommendations - How can I resolve false positives from scanners, such as multiple triggers on the same sObject when I only have one per object?
FAQ-000359 ✓ Has Recommendations - What severity level of findings from the Apex code analyzer is considered acceptable for security review?

Uncategorized

FAQ-000360 ✓ Has Recommendations - How do I address a vulnerability in a managed component that cannot be deleted?

Unused and Obsolete Code Management

FAQ-000361 ✓ Has Recommendations - How should I handle security issues in helper methods that aren't actually used?
FAQ-000363 ✓ Has Recommendations - How does the security review process handle unused or unreachable code that contains vulnerabilities?
FAQ-000364 ✓ Has Recommendations - Will including unused or obsolete code in my package affect the security review?
FAQ-000366 ✓ Has Recommendations - How do unused code samples in packages affect security review outcomes?
FAQ-000367 ✓ Has Recommendations - What constitutes "sample code in production" and how should it be addressed?
FAQ-000368 ✓ Has Recommendations - Is it acceptable to comment out incomplete code in production packages or must it be completely removed?

Code Cleanup Standards

FAQ-000369 ✓ Has Recommendations - Is it acceptable to have commented-out code or unused objects and fields in a package submitted for review?

Complete Code Removal

FAQ-000370 ✓ Has Recommendations - What should I do when test classes prevent complete removal of flagged features?
FAQ-000371 ✓ Has Recommendations - Am I allowed to remove files and components from a managed package that contain security vulnerabilities?
FAQ-000372 ✓ Has Recommendations - How can I completely remove functionality flagged in security review?
FAQ-000373 ✓ Has Recommendations - What's the proper way to address security issues in unused or legacy code?

Scan Report Discrepancies

FAQ-000375 ✓ Has Recommendations - What should I do when security review reports or scan results reference outdated code or don't reflect recent changes and fixes?
FAQ-000376 ✓ Has Recommendations - What should be done when security review feedback indicates resolved issues are still present or vulnerabilities are flagged again after fixes?
FAQ-000377 ✓ Has Recommendations - What should I do if I believe I have already implemented a fix but the issue is still being flagged, or if my package failed for issues I've already a...
FAQ-000378 ✓ Has Recommendations - Why might security scan reports continue to show errors even after issues have been fixed, and what should I do when code analyzer continues to flag r...

Sensitive Data Removal

FAQ-000379 ✓ Has Recommendations - How do I ensure complete removal of sensitive data storage violations and references?

Verification of Fixes

FAQ-000380 ✓ Has Recommendations - How can I satisfy security review requirements and demonstrate that problematic functionality has been fully eliminated?

AppExchange Security Review Failures

FAQ-000382 ✓ Has Recommendations - What are the most common reasons and security issues that cause applications to fail the AppExchange Security Review?

Network Security Configuration

FAQ-000383 ✓ Has Recommendations - How do I resolve insecure software version and TLS/SSL configuration issues?

Vulnerability Remediation Process

FAQ-000384 ✓ Has Recommendations - What specific steps are needed to fix common security vulnerabilities?

Apex and Trigger Security

FAQ-000385 ✓ Has Recommendations - What are the specific security considerations for Apex triggers that run in a community or experience cloud context?

Component and Application Security

FAQ-000388 ✓ Has Recommendations - What are the key security considerations and steps required when building components and applications for Experience Cloud sites?
FAQ-000389 ✓ Has Recommendations - What are the key data security guidelines for Salesforce Sites implementations?

Data Access and Record Security

FAQ-000391 ✓ Has Recommendations - How can I securely manage record access for community users when the org-wide default is private?
FAQ-000392 ✓ Has Recommendations - How can a community guest user securely query data that they normally do not have access to?
FAQ-000393 ✓ Has Recommendations - What are the recommended approaches for handling object accessibility checks in Experience Cloud sites?
FAQ-000394 ✓ Has Recommendations - What are the recommended patterns for handling record access in Experience Cloud sites that pass security review?
FAQ-000395 ✓ Has Recommendations - What are the security best practices for granting community or portal users access to records in a managed package?
FAQ-000396 ✓ Has Recommendations - What security considerations apply to programmatic access control for guest users?

Data Encryption and Sensitive Information

FAQ-000397 ✓ Has Recommendations - How should I manage sensitive data that is displayed or processed within an Experience Cloud site?
FAQ-000398 ✓ Has Recommendations - How should AES keys be handled in Experience Cloud solutions?
FAQ-000399 ✓ Has Recommendations - What are the key security and encryption guidelines for applications that expose data in public sites or communities?
FAQ-000400 ✓ Has Recommendations - How should sensitive data be encrypted in community-enabled applications?

Guest User Security

FAQ-000403 ✓ Has Recommendations - What are the security best practices for providing guest users with controlled access to records and handling their permissions and limitations in Exp...

Security Review and Compliance

FAQ-000405 ✓ Has Recommendations - How should community-developed applications handle security review requirements?

User Permissions and Profile Management

FAQ-000406 ✓ Has Recommendations - How should I manage user permissions when community profiles have limited object access?

Composite Application Security Review Preparation

FAQ-000407 ✓ Has Recommendations - How should composite applications with external integrations be prepared for security review?

Documentation Requirements for Complex Architectures

FAQ-000408 ✓ Has Recommendations - What documentation is required for complex architectural setups including middleware, third-party connectors, and integration platforms?

Multi-Platform Security Review Process

FAQ-000409 ✓ Has Recommendations - How does the security review process apply to solutions with complex architecture involving multiple external platforms and third-party connectors?

Security Considerations for External Integrations

FAQ-000410 ✓ Has Recommendations - What are the security considerations and review process for applications that integrate with external services and API connectors?

Browser Storage Security

FAQ-000411 ✓ Has Recommendations - What are the security implications of using browser localStorage in managed package components?

Component Extensibility and Validation

FAQ-000412 ✓ Has Recommendations - How can I provide extensibility points for custom validation and UI logic without creating security risks?

Cross-Platform Component Communication

FAQ-000413 ✓ Has Recommendations - How can I securely communicate between LWCs and Visualforce pages?
FAQ-000414 ✓ Has Recommendations - How can I securely pass data between a Canvas App and a Lightning component?

Data Passing and Input Security

FAQ-000415 ✓ Has Recommendations - Under what circumstances is data passed between components considered a security risk?
FAQ-000416 ✓ Has Recommendations - How are parameters passed through component APIs considered user-controllable input for security purposes?

Managed Package Communication Security

FAQ-000418 ✓ Has Recommendations - Why might localStorage functionality work in development environments but fail in namespaced managed packages?
FAQ-000419 ✓ Has Recommendations - What is the recommended secure method for communication between managed and unmanaged components?
FAQ-000420 ✓ Has Recommendations - What is the secure way to allow communication between a managed package component and a customer's custom component?
FAQ-000421 ✓ Has Recommendations - What are the security implications of allowing custom components to communicate with managed package components?

Aura Component Initialization Security

FAQ-000423 ✓ Has Recommendations - What are the alternatives for performing necessary record insertion during Aura component initialization?

Component Deprecation and Global Class Management

FAQ-000424 ✓ Has Recommendations - What is the proper way to deprecate and manage vulnerable or unused global components and classes?

DML Operations on Component Load

FAQ-000425 ✓ Has Recommendations - What are the security risks and best practices for handling DML operations during component loading?

Lightning Web Component Lifecycle Security

FAQ-000426 ✓ Has Recommendations - How should DML operations be handled in Lightning Web Component lifecycle methods like connectedCallback?

User-Triggered DML Operations

FAQ-000427 ✓ Has Recommendations - What are the best practices for performing DML operations from a component when triggered by user actions?

Credential Management

FAQ-000433 ✓ Has Recommendations - How should developers securely manage and store Connected App credentials (consumer key, consumer secret, client ID) in managed packages?

IP Restrictions and Access Control

FAQ-000434 ✓ Has Recommendations - What are the security implications of IP restrictions for Connected Apps and should they be configured?

Managed Package Integration

FAQ-000435 ✓ Has Recommendations - What are the best practices for packaging and managing Connected Apps within managed packages?

OAuth and Authentication Flows

FAQ-000436 ✓ Has Recommendations - What are the security best practices for implementing OAuth and authentication flows with Connected Apps?

Security Review and Compliance

FAQ-000437 ✓ Has Recommendations - How should Connected Apps be implemented to meet security review requirements and avoid vulnerabilities?

Third-Party Integration

FAQ-000438 ✓ Has Recommendations - What are the security best practices for implementing Connected Apps with third-party integrations using named credentials and CSP trusted sites?

Content Block Security Implementation

FAQ-000442 ✓ Has Recommendations - How do I implement secure content block integrations?

CSP Configuration and Best Practices

FAQ-000443 ✓ Has Recommendations - What are the best practices for configuring Content Security Policy (CSP) for applications?

CSP Security Review Requirements

FAQ-000445 ✓ Has Recommendations - Is Content Security Policy (CSP) mandatory for security review and when are CSP violations or 'unsafe-inline' acceptable?

CSP for Lightning Components

FAQ-000449 ✓ Has Recommendations - Where can I find detailed information about Content Security Policy (CSP) for Lightning components and what are the key requirements?

General Cross-Domain Security Requirements

FAQ-000452 ✓ Has Recommendations - What are the security requirements for implementing a cross-domain communication solution using postMessage?

JavaScript Button Alternatives

FAQ-000455 ✓ Has Recommendations - What are the secure alternatives to using JavaScript in custom buttons, list view buttons, and detail page buttons?

JavaScript Security Best Practices

FAQ-000456 ✓ Has Recommendations - What are the security best practices and considerations when using JavaScript in custom buttons or when overriding standard buttons with custom compon...

JavaScript Vulnerability Prevention and DOM Security

FAQ-000457 ✓ Has Recommendations - How can I avoid JavaScript vulnerabilities in the Salesforce DOM, and what is considered the Salesforce DOM?

JavaScript Vulnerability Remediation

FAQ-000458 ✓ Has Recommendations - What is the correct way to remediate JavaScript vulnerabilities found in custom buttons, including handling security review failures and using static ...

Legacy JavaScript Button Management

FAQ-000459 ✓ Has Recommendations - What are the options for handling legacy JavaScript buttons, including their usage in Salesforce Classic and managed packages?

Alternative Storage Methods and Recommendations

FAQ-000460 ✓ Has Recommendations - What are the recommended secure alternatives to protected custom settings when they are not compatible with integration tools or architecture requirem...

Custom Metadata Security and Visibility Management

FAQ-000461 ✓ Has Recommendations - Can protected custom metadata be exposed through external integrations and what are the security considerations?
FAQ-000462 ✓ Has Recommendations - How can I change custom metadata type visibility from Public to Protected in released managed packages?
FAQ-000463 ✓ Has Recommendations - Why might protected custom metadata fields be considered insufficient for storing sensitive data during security review?
FAQ-000464 ✓ Has Recommendations - Why is a public Custom Metadata Type considered a potential 'Insecure Storage' vulnerability?

Duplicate Questions

FAQ-000466 ✓ Has Recommendations - Should I use Named Credentials instead of storing API tokens in custom settings?

Package Development and Managed Package Considerations

FAQ-000467 ✓ Has Recommendations - How can I include custom settings and metadata definitions in my managed package for storing customer-specific secrets?
FAQ-000469 ✓ Has Recommendations - Is it secure to allow subscribers to modify Custom Metadata Type records included in a managed package?
FAQ-000470 ✓ Has Recommendations - What are the approved methods for modifying custom metadata from within a managed package's component?
FAQ-000471 ✓ Has Recommendations - What is the secure and recommended way to programmatically create Remote Site Settings during package installation or setup?
FAQ-000472 ✓ Has Recommendations - How can I properly handle unused metadata that triggers 'Insecure Storage of Sensitive Data' violations?
FAQ-000473 ✓ Has Recommendations - How can I make custom metadata visible and editable in subscriber orgs after package installation?
FAQ-000474 ✓ Has Recommendations - What is the most secure method for storing sensitive, user-specific information within a managed package?

Post-Installation Configuration and Customer Setup

FAQ-000476 ✓ Has Recommendations - How should I securely store client credentials in custom metadata while maintaining admin configurability?
FAQ-000478 ✓ Has Recommendations - How should I securely store API keys and other credentials entered by a customer during initial setup?
FAQ-000480 ✓ Has Recommendations - What is the recommended approach for storing sensitive data that needs to be configured by the customer after installation?
FAQ-000481 ✓ Has Recommendations - How can I allow customers to configure my application's settings if they must be stored in a 'Protected' custom setting or metadata type?
FAQ-000482 ✓ Has Recommendations - What is the recommended approach when a security requirement, like using protected custom settings, conflicts with essential application functionality...
FAQ-000483 ✓ Has Recommendations - How should developers implement setup pages that allow users to update protected custom metadata securely?
FAQ-000484 ✓ Has Recommendations - What is the recommended approach for securely storing customer-provided credentials that are configured after installation?
FAQ-000485 ✓ Has Recommendations - How can I handle credential storage requirements when protected custom settings aren't suitable for the use case?
FAQ-000486 ✓ Has Recommendations - What is the secure, recommended way for a user to modify data stored in protected custom settings?
FAQ-000487 ✓ Has Recommendations - How can I allow users without admin permissions to modify specific custom metadata records securely?
FAQ-000488 ✓ Has Recommendations - How should I handle sensitive configuration data that needs to be accessible to org administrators but secure from regular users?
FAQ-000489 ✓ Has Recommendations - How can I balance data security with user functionality when custom metadata visibility is changed to protected?

Protected Custom Settings Security Requirements and Best Practices

FAQ-000490 ✓ Has Recommendations - Is using protected custom settings with post-install scripts a secure method for storing OAuth credentials and consumer secrets?
FAQ-000491 ✓ Has Recommendations - What are the security requirements for storing keys in Protected Custom Settings?
FAQ-000492 ✓ Has Recommendations - Can I use a post-install script to populate Protected Custom Settings with sensitive credentials?
FAQ-000493 ✓ Has Recommendations - How should protected custom metadata records be properly configured to avoid 'Insecure Storage of Sensitive Data' violations?
FAQ-000494 ✓ Has Recommendations - Should customer-provided API tokens be encrypted before storing in Protected Custom Settings?
FAQ-000495 ✓ Has Recommendations - What are the security implications of using protected custom settings with hardcoded values?
FAQ-000496 ✓ Has Recommendations - Is storing a default key or secret in a Protected Custom Setting a secure alternative to hardcoding it in Apex code?
FAQ-000497 ✓ Has Recommendations - Can Protected Custom Settings be used to store credentials that are entered by the end-user?
FAQ-000498 ✓ Has Recommendations - Are there additional security controls required when storing credentials in Protected Custom Settings?
FAQ-000499 ✓ Has Recommendations - Why would my application be flagged for 'Insecure Storage of Sensitive Data' even if I am using Protected Custom Settings?
FAQ-000500 ✓ Has Recommendations - What documentation is needed to prove that protected custom settings can't be queried by unauthorized users?

Protected Custom Settings vs Other Storage Methods

FAQ-000502 ✓ Has Recommendations - What is the difference between storing secrets in a protected custom setting versus an encrypted field on a regular custom setting?
FAQ-000503 ✓ Has Recommendations - What are the differences between restricted encrypted fields and Protected Custom Settings for sensitive data?
FAQ-000504 ✓ Has Recommendations - What is the difference between restricted/encrypted fields and Protected Custom Settings for API keys?
FAQ-000505 ✓ Has Recommendations - Why is using a Protected Custom Setting or Custom Metadata Type preferred over an encrypted field on a custom object for storing secrets?
FAQ-000506 ✓ Has Recommendations - Are Protected Custom Settings an acceptable alternative to Custom Metadata Types for storing sensitive values?
FAQ-000507 ✓ Has Recommendations - What is the difference in security posture between a protected custom setting and a protected custom metadata type?
FAQ-000508 ✓ Has Recommendations - What are the specific security differences between protected custom metadata and protected custom settings?
FAQ-000509 ✓ Has Recommendations - How do I choose between Platform Cache, encrypted custom objects, and protected custom settings?
FAQ-000510 ✓ Has Recommendations - What are the security trade-offs between using encrypted custom objects, protected custom settings, and platform cache for storing secrets?
FAQ-000511 ✓ Has Recommendations - What is the difference between storing sensitive data in protected custom objects versus protected custom metadata types?

Public Custom Settings and Metadata Security Concerns

FAQ-000512 ✓ Has Recommendations - What is the secure alternative to a Public Custom Setting when users need to modify the setting post-installation?
FAQ-000513 ✓ Has Recommendations - Is storing external API credentials in custom settings a security vulnerability?
FAQ-000514 ✓ Has Recommendations - Is storing bearer tokens in custom settings considered a security vulnerability?
FAQ-000515 ✓ Has Recommendations - Is it acceptable to store sensitive data like Client IDs and Secrets in Custom Metadata if only admins can access them?
FAQ-000516 ✓ Has Recommendations - Is it acceptable to store API keys in public Custom Metadata Types if they are set by the end-user in the subscriber org?
FAQ-000517 ✓ Has Recommendations - What is the secure, recommended alternative to storing secrets in public Custom Metadata Types?
FAQ-000518 ✓ Has Recommendations - What are the security implications of using public custom metadata for sensitive configuration?
FAQ-000519 ✓ Has Recommendations - Is it acceptable to store user-provided API keys in a public setting if the user needs to edit them?
FAQ-000520 ✓ Has Recommendations - Is it secure to store sensitive data in custom metadata types that subscribers can manipulate?
FAQ-000521 ✓ Has Recommendations - Why is storing credentials in Custom Metadata considered a vulnerability, and what are the recommended secure alternatives?
FAQ-000522 ✓ Has Recommendations - What constitutes acceptable justification for storing user credentials in Custom Metadata Types?
FAQ-000523 ✓ Has Recommendations - Is it acceptable to store user-provided API credentials in custom metadata with 'Any user with Customize App permission' access?
FAQ-000524 ✓ Has Recommendations - Is it acceptable to use protected custom metadata within namespaced packages to store SFTP secrets?
FAQ-000525 ✓ Has Recommendations - Can I store OAuth client credentials (client ID and client secret) in custom metadata that's only accessible to administrators?
FAQ-000526 ✓ Has Recommendations - Is storing credentials in a public Custom Metadata Type acceptable if access is controlled by a permission?
FAQ-000527 ✓ Has Recommendations - Is it secure to store API keys in a public Custom Setting?

Security Review and Compliance

FAQ-000528 ✓ Has Recommendations - How should I handle false positive claims about information disclosure in protected custom settings?
FAQ-000529 ✓ Has Recommendations - What are the best practices for bringing custom objects with sensitive data to protected status?
FAQ-000530 ✓ Has Recommendations - What constitutes adequate justification for custom fields flagged by name-based security rules?
FAQ-000531 ✓ Has Recommendations - What are the proper implementation approaches for secure metadata storage to meet security review requirements?
FAQ-000532 ✓ Has Recommendations - My report flags a protected custom setting field for insecure storage. Why is this considered a vulnerability?
FAQ-000533 ✓ Has Recommendations - What are the proper implementation patterns for secure metadata storage?
FAQ-000534 ✓ Has Recommendations - How can I demonstrate that custom metadata security controls are equivalent to standard Salesforce security?
FAQ-000535 ✓ Has Recommendations - How can I properly document custom metadata-based security controls for security review?
FAQ-000536 ✓ Has Recommendations - How do I resolve Data Flow Analysis scan errors that prevent successful security review submission?
FAQ-000537 ✓ Has Recommendations - How will custom access control logic in my code be evaluated during the security review?
FAQ-000538 ✓ Has Recommendations - How can I validate my approach for storing sensitive information in protected custom settings?
FAQ-000539 ✓ Has Recommendations - How can I properly handle unused custom metadata that's flagged for insecure storage of sensitive data?
FAQ-000540 ✓ Has Recommendations - My app uses custom metadata to manage security instead of profiles. How can I explain this custom security model to avoid being flagged for bypassing ...
FAQ-000541 ✓ Has Recommendations - How do I properly document that certain data storage is necessary for system functionality?

Specific Use Cases and Implementation Patterns

FAQ-000542 ✓ Has Recommendations - Is it secure to store customer-specific secrets in a protected custom object, as opposed to a custom setting or metadata type?
FAQ-000543 ✓ Has Recommendations - Are there restrictions on what data can be stored in a custom logging object?
FAQ-000544 ✓ Has Recommendations - What are the security requirements for credential management in custom settings during installation?
FAQ-000545 ✓ Has Recommendations - What are the security requirements for custom settings field validation?
FAQ-000546 ✓ Has Recommendations - How should I securely store third-party integration keys in custom metadata?
FAQ-000547 ✓ Has Recommendations - What is the proper approach for including custom settings definitions in package metadata?
FAQ-000548 ✓ Has Recommendations - How should developers migrate custom objects containing sensitive data to protected custom objects?
FAQ-000549 ✓ Has Recommendations - How should Platform Cache be used securely for storing API callout responses?
FAQ-000550 ✓ Has Recommendations - What are the security best practices for storing potentially sensitive data in Custom Metadata Types?
FAQ-000551 ✓ Has Recommendations - How should custom settings be used for secure token storage?
FAQ-000552 ✓ Has Recommendations - How can I securely perform DML operations on protected custom settings?
FAQ-000553 ✓ Has Recommendations - Is using a protected custom metadata type with user-editable fields a secure way to store customer-provided secrets?
FAQ-000554 ✓ Has Recommendations - Are there alternatives to editable custom metadata for storing customer-specific configuration?
FAQ-000555 ✓ Has Recommendations - Can I justify using Custom Settings for storing an access token if it needs to be programmatically updated?
FAQ-000556 ✓ Has Recommendations - Is making a custom object 'protected' sufficient for storing sensitive data, or are Protected Custom Metadata/Settings required?
FAQ-000557 ✓ Has Recommendations - What are the acceptable alternatives to protected custom settings for storing sensitive data in managed packages?

Technical Implementation and Code Security

FAQ-000558 ✓ Has Recommendations - What is the secure way to manage API keys in Custom Settings that need to be accessed by code running in system mode?
FAQ-000559 ✓ Has Recommendations - What should replace ESAPI for input validation and output encoding in modern Salesforce development?
FAQ-000560 ✓ Has Recommendations - What is the recommended secure method for automating metadata changes from Apex without user interaction?
FAQ-000561 ✓ Has Recommendations - How do I properly address CSRF vulnerabilities in Lightning Web Components?
FAQ-000562 ✓ Has Recommendations - How should I handle third-party JavaScript library vulnerabilities when newer versions break functionality?
FAQ-000563 ✓ Has Recommendations - How can I change the visibility of a Custom Setting from Public to Protected in a released managed package?
FAQ-000564 ✓ Has Recommendations - How do I safely remove deprecated JavaScript code from managed packages?

Uncategorized

FAQ-000565 ✓ Has Recommendations - What's the proper way to handle app secrets using Protected Custom Metadata Records?
FAQ-000566 ✓ Has Recommendations - What are the best practices for storing API credentials that need to be configured by a subscriber's administrator?
FAQ-000567 ✓ Has Recommendations - How can developers implement updatable sensitive data storage that works with post-installation scripts?
FAQ-000568 ✓ Has Recommendations - When should protected custom settings be used instead of encrypted custom object fields?
FAQ-000569 ✓ Has Recommendations - Is storing sensitive data in protected custom metadata records an acceptable security practice?

User Permissions and Access Control

FAQ-000570 ✓ Has Recommendations - How can I handle custom settings access when users don't have 'Customize Application' permission?
FAQ-000571 ✓ Has Recommendations - Do custom settings of list type require CRUD/FLS enforcement even when users lack access?
FAQ-000572 ✓ Has Recommendations - What permissions should subscribers have for custom metadata type operations?
FAQ-000573 ✓ Has Recommendations - What is the recommended approach for letting non-admin users perform specific administrative tasks?
FAQ-000574 ✓ Has Recommendations - What are the alternatives to requiring broad permissions for users to save configuration data?

Data Classification and Handling

FAQ-000689 ✓ Has Recommendations - What are the requirements and best practices for encrypting and handling customer data during extraction and transfer between Salesforce orgs?
FAQ-000690 ✓ Has Recommendations - Can access controls and data lifecycle policies be considered mitigating factors for insecure storage findings?
FAQ-000692 ✓ Has Recommendations - How can I balance application usability with strict security requirements for handling sensitive data?
FAQ-000693 ✓ Has Recommendations - What are considered insecure methods for storing sensitive data like API tokens?
FAQ-000695 ✓ Has Recommendations - Are non-secret identifiers like idempotency keys considered sensitive data that requires secure storage?
FAQ-000696 ✓ Has Recommendations - When is it acceptable to use a public custom object to store sensitive, encrypted data?
FAQ-000698 ✓ Has Recommendations - What constitutes proper justification for storing sensitive operational data?

Documentation and Compliance

FAQ-000699 ✓ Has Recommendations - How should I document my approach to storing sensitive data to prove it is secure and avoid false positive flags?

Encryption and Key Management

FAQ-000700 ✓ Has Recommendations - How should encryption keys be securely stored and managed within a package to avoid using hardcoded values?
FAQ-000701 ✓ Has Recommendations - Will using Salesforce Crypto class encryption help pass security review for API key storage?
FAQ-000702 ✓ Has Recommendations - How should I handle encryption for sensitive data stored in the database?
FAQ-000703 ✓ Has Recommendations - Are Text(Encrypted) fields sufficient for storing sensitive authorization keys?
FAQ-000704 ✓ Has Recommendations - How can I securely store encryption keys in post-install scripts when custom settings and metadata are not accessible?
FAQ-000705 ✓ Has Recommendations - Are there approved methods for encrypting long text area fields used for storing sensitive data?
FAQ-000706 ✓ Has Recommendations - What encryption approaches are recommended for large-scale user data?
FAQ-000707 ✓ Has Recommendations - What are the requirements for securely storing sensitive data and managing encryption keys to pass the Security Review?
FAQ-000709 ✓ Has Recommendations - Why are encrypted custom fields not recommended for storing sensitive authentication credentials?
FAQ-000710 ✓ Has Recommendations - Is it acceptable to encrypt and decrypt sensitive information using keys stored in protected custom metadata?
FAQ-000711 ✓ Has Recommendations - What's the proper way to encrypt and decrypt passwords for testing platforms?

Secure Storage Best Practices

FAQ-000712 ✓ Has Recommendations - How can I properly secure sensitive data storage in Salesforce applications?
FAQ-000713 ✓ Has Recommendations - What are the best practices for handling and storing sensitive data that is essential for my application's core functionality?
FAQ-000714 ✓ Has Recommendations - What are the best practices for secure storage of sensitive data in managed packages?
FAQ-000715 ✓ Has Recommendations - What are the recommended approaches for storing sensitive user information in managed packages?
FAQ-000716 ✓ Has Recommendations - What are the approved methods for securely storing sensitive data or secrets within a managed package?
FAQ-000717 ✓ Has Recommendations - What are the security requirements for storing sensitive data in managed packages?
FAQ-000718 ✓ Has Recommendations - What are the approved platform features for storing secrets and credentials?
FAQ-000719 ✓ Has Recommendations - What are acceptable alternatives for storing sensitive data in managed packages when platform-provided mechanisms aren't available?
FAQ-000720 ✓ Has Recommendations - What is the recommended secure storage solution for sensitive data that exceeds standard limits?
FAQ-000721 ✓ Has Recommendations - What is the secure way to store and mask credentials within a custom object?
FAQ-000722 ✓ Has Recommendations - What are the best practices for temporarily storing passwords, tokens, and credentials in managed packages?
FAQ-000723 ✓ Has Recommendations - How can I securely store credentials or other sensitive data within my application?
FAQ-000724 ✓ Has Recommendations - What is the recommended approach for securely storing sensitive data during customer migration periods?

Vulnerability Identification and Remediation

FAQ-000725 ✓ Has Recommendations - How do I properly address insecure storage of sensitive data vulnerabilities in managed packages?
FAQ-000727 ✓ Has Recommendations - What are the acceptable solutions for insecure storage of sensitive data in managed packages?
FAQ-000729 ✓ Has Recommendations - How can I fix a vulnerability related to "Insecure Storage of Sensitive Data"?
FAQ-000731 ✓ Has Recommendations - What are the options for resolving insecure storage vulnerabilities in patch releases versus new versions?
FAQ-000732 ⚠ Error - What constitutes insecure storage of sensitive data and how should it be remediated?
FAQ-000733 ✓ Has Recommendations - How should developers challenge false positive findings for insecure storage vulnerabilities?
FAQ-000734 ✓ Has Recommendations - How should I address "Insecure Storage of Sensitive Data Vulnerability" findings?
FAQ-000735 ✓ Has Recommendations - How can I resolve an "Insecure Storage of Sensitive Data" finding for a key stored as a static variable in Apex?
FAQ-000736 ✓ Has Recommendations - What are the most common insecure data storage issues and how can I avoid them?
FAQ-000737 ✓ Has Recommendations - What are the most common mistakes that lead to "Insecure Storage of Sensitive Data" vulnerabilities?
FAQ-000738 ✓ Has Recommendations - What are the common causes of an "Insecure Storage of Sensitive Data" vulnerability?
FAQ-000739 ✓ Has Recommendations - How can I address "Insecure Storage of Sensitive Data" and "Sensitive information in URL" vulnerabilities?
FAQ-000740 ✓ Has Recommendations - What is the difference between "Insecure Storage of Sensitive Data" and "Sensitive Information in URL" vulnerabilities?
FAQ-000741 ✓ Has Recommendations - How should developers address insecure storage of sensitive data findings in security reviews?

General Data Sync Security

FAQ-000743 ✓ Has Recommendations - What security considerations apply to data synchronization solutions?

Metadata Security for Sync

FAQ-000744 ✓ Has Recommendations - What are the security-compliant methods for retrieving field metadata for dynamic object synchronization?

Salesforce-to-Salesforce Sync Security

FAQ-000745 ✓ Has Recommendations - What are the primary security considerations for an application designed to sync data between Salesforce orgs?

Component Removal and Cleanup

FAQ-000746 ✓ Has Recommendations - What is the correct process for removing obsolete or unused components from a managed package so they are not included in security scans?
FAQ-000747 ✓ Has Recommendations - If a component is deprecated and no longer used in my package, must it be deleted to pass security review?

Deprecated Component Management

FAQ-000748 ✓ Has Recommendations - How should I handle security findings related to deprecated components that are still in my package?

Documentation and False Positive Handling

FAQ-000749 ✓ Has Recommendations - What documentation is needed to demonstrate that deprecated components don't pose actual security risks, and can I use false positive documentation fo...

JavaScript Bridge Security

FAQ-000752 ✓ Has Recommendations - My components interact with a desktop application via a JavaScript bridge. What security considerations should I highlight in my submission?

Production Environment Sample Code Management

FAQ-000754 ✓ Has Recommendations - What are the available options for addressing sample code vulnerabilities in production environments?

Sample Code Impact on Security Review

FAQ-000755 ✓ Has Recommendations - How should development and sample code be managed to avoid security review issues and failures?

Sample Code Removal and Cleanup

FAQ-000756 ✓ Has Recommendations - What is the process for removing sample code or unused components from a managed package?

Sample Code Vulnerability Discussion and Reporting

FAQ-000757 ✓ Has Recommendations - How can I discuss, justify, or handle security findings related to sample, demonstration, or example code vulnerabilities?

Document Handling Security Concerns

FAQ-000759 ✓ Has Recommendations - What are the common security concerns related to generating and handling documents within an application?

External System Integration Security

FAQ-000760 ✓ Has Recommendations - What are the security best practices for implementing dynamic JavaScript injection from external systems in Salesforce, including Visualforce pages?

Admin-Only Access and Permissions

FAQ-000761 ✓ Has Recommendations - Can exceptions be made for creating Remote Site Settings if the functionality is restricted to System Administrators, and how should admin-only functi...

Security Implications and Risks

FAQ-000762 ✓ Has Recommendations - What are the security implications of using JavaScript and Visualforce pages to create remote site settings dynamically, and why is programmatically c...

E-commerce Platform Integration Security

FAQ-000764 ✓ Has Recommendations - What security considerations are specific to e-commerce and shipping integration applications?

Email Security Review and Remediation

FAQ-000770 ✓ Has Recommendations - How do I address email-related security vulnerabilities that cause repeated security review failures?

Error Message Security

FAQ-000773 ✓ Has Recommendations - What are the best practices for error message handling to avoid revealing sensitive system information?

Managed Package Error Handling

FAQ-000774 ✓ Has Recommendations - What are the security best practices for custom error handling and logging in managed packages?

API Integration Authentication

FAQ-000777 ✓ Has Recommendations - What are the security best practices for implementing external API authentication in applications and managed packages?

External Application Authentication Requirements

FAQ-000780 ✓ Has Recommendations - What are the approved authentication methods for external applications that need to access Salesforce data?

External Data and Service Security

FAQ-000781 ✓ Has Recommendations - What are the security implications of creating a centralized service for third-party API authentication?

CORS and Cross-Domain Communication

FAQ-000784 ✓ Has Recommendations - How should developers handle CORS-related security findings for third-party JavaScript libraries?
FAQ-000785 ✓ Has Recommendations - What are the security implications of using JSONP for communication between Salesforce and external domains?

Dynamic Content and Document Systems

FAQ-000786 ✓ Has Recommendations - What are the approved methods for implementing dynamic content from external document systems?

External Content Rendering and Security

FAQ-000787 ⚠ Error - What are the security restrictions and guidelines for rendering external content in Salesforce?

External Links and Simple Components

FAQ-000788 ⚠ Error - What are the security review requirements for components containing external website links?

External Service Integration Security

FAQ-000789 ✓ Has Recommendations - What security considerations apply to external services consumed by Salesforce applications?
FAQ-000790 ✓ Has Recommendations - How can I report a potential false positive for an iframe-related vulnerability?

Iframe Authentication and Secure Data Passing

FAQ-000791 ✓ Has Recommendations - How can I implement authenticated iframes without passing sensitive data in URLs?

Iframe Permissions and Managed Package Policies

FAQ-000793 ✓ Has Recommendations - Are iframes loading external content permitted in managed packages and Visualforce pages?
FAQ-000795 ✓ Has Recommendations - Are iframe implementations generally acceptable in managed packages for AppExchange?

Iframe Sandboxing and Security Controls

FAQ-000796 ✓ Has Recommendations - When is iframe sandboxing required and are there exceptions for internal Salesforce pages?

Iframe Security Requirements and Best Practices

FAQ-000797 ✓ Has Recommendations - What are the security requirements and best practices for using iframes in Salesforce applications?

Security Review Testing and Documentation

FAQ-000799 ✓ Has Recommendations - What documentation is required for external resources and content embedding in security reviews?

TLS/SSL and Network Security

FAQ-000800 ✓ Has Recommendations - How should developers address TLS/SSL configuration issues in external endpoints?

Third-Party JavaScript and Static Resources

FAQ-000802 ✓ Has Recommendations - What are the requirements and exceptions for loading third-party JavaScript and front-end assets?

Third-Party Service Vulnerabilities

FAQ-000804 ✓ Has Recommendations - How should developers handle security vulnerabilities and issues in third-party services?

API Keys and Authentication

FAQ-000807 ✓ Has Recommendations - What are the security requirements for using third-party JavaScript libraries with API keys or authentication in Lightning components?

Customer Configuration and Settings

FAQ-000810 ✓ Has Recommendations - Is it acceptable to allow customers to override JavaScript sources through custom settings in managed packages?

General Requirements and Best Practices

FAQ-000814 ✓ Has Recommendations - What are the comprehensive requirements and best practices for including third-party JavaScript libraries in managed packages?

Lightning Locker Service Compatibility

FAQ-000815 ✓ Has Recommendations - How should I handle third-party JavaScript libraries that are not compatible with Lightning Locker Service?

Security Review Requirements

FAQ-000816 ✓ Has Recommendations - What are the comprehensive security review requirements for third-party JavaScript libraries in managed packages?

Visualforce-Specific Requirements

FAQ-000820 ✓ Has Recommendations - What are the security requirements and best practices for using JavaScript and third-party libraries in Visualforce pages?

Documentation and Compliance

FAQ-000824 ✓ Has Recommendations - How can I provide evidence that an off-platform vulnerability has been remediated?
FAQ-000826 ✓ Has Recommendations - Can I address only Salesforce-related security issues while showing a remediation plan for web application components?
FAQ-000827 ✓ Has Recommendations - What documentation is typically required for external API integrations?

External Dependencies and Libraries

FAQ-000828 ✓ Has Recommendations - Can security issues in external dependencies cause my package to fail review?
FAQ-000829 ✓ Has Recommendations - How can I ensure all external dependencies and libraries used by my off-platform services are secure before submitting for review?
FAQ-000830 ✓ Has Recommendations - How do I address external dependencies that cause security review failures?
FAQ-000832 ✓ Has Recommendations - How do I resolve 'Insecure Software Version' and 'Open Redirect' vulnerabilities for applications with external dependencies?
FAQ-000833 ✓ Has Recommendations - Can security issues in external dependencies be excluded from my package's security review?
FAQ-000834 ✓ Has Recommendations - What is the support policy for third-party JavaScript frameworks like jQuery or AngularJS in the security review?
FAQ-000835 ✓ Has Recommendations - How should I address vulnerabilities like 'Insecure Software Version' or 'Open Redirect' that originate from a required third-party?

External Platform Hosting and AWS

FAQ-000836 ✓ Has Recommendations - What documentation is required for AWS integrations during security review?
FAQ-000837 ✓ Has Recommendations - What are the security review requirements for applications primarily hosted on an external platform?
FAQ-000838 ✓ Has Recommendations - How should developers prepare for manual security reviews when most of their code is hosted externally?
FAQ-000839 ✓ Has Recommendations - What are the security requirements for external websites or services that my managed package connects to?
FAQ-000840 ✓ Has Recommendations - What are the security review requirements for parts of my application hosted on an external platform like AWS?
FAQ-000841 ✓ Has Recommendations - What security requirements apply to Salesforce packages that integrate with AWS or other cloud services?
FAQ-000842 ✓ Has Recommendations - How should I prepare for security audits of hybrid Salesforce-cloud applications?
FAQ-000843 ✓ Has Recommendations - Can exceptions be made for TLS requirements when using AWS-managed URLs?
FAQ-000844 ✓ Has Recommendations - How does hosting application code on external platforms like AWS impact the AppExchange security review process?
FAQ-000845 ✓ Has Recommendations - What documentation is required for external endpoints hosted on platforms like AWS?

External System Responsibility and Control

FAQ-000846 ✓ Has Recommendations - Am I responsible for security issues found in external systems that my application integrates with?
FAQ-000847 ✓ Has Recommendations - How do I handle security requirements for third-party managed infrastructure?
FAQ-000848 ✓ Has Recommendations - How do I address security issues in external systems connected to my package?
FAQ-000849 ✓ Has Recommendations - How should I handle security issues reported by third-party vendors that involve standard Salesforce features?
FAQ-000850 ✓ Has Recommendations - What's the difference between package security issues and external site security issues?
FAQ-000851 ✓ Has Recommendations - How do I handle security issues that exist in third-party apps my package interacts with?
FAQ-000852 ✓ Has Recommendations - How can I address security issues in external systems that support my Salesforce app?

External Web Applications and SaaS

FAQ-000853 ✓ Has Recommendations - How do I address security alerts for external web applications that integrate with Salesforce?
FAQ-000854 ✓ Has Recommendations - How do I address security review failures caused by external SaaS platforms rather than the managed package?
FAQ-000855 ✓ Has Recommendations - How do I resolve security issues found on my company's SaaS site that integrates with my package?
FAQ-000856 ✓ Has Recommendations - A vulnerability was found on my external web server, not in the package itself. After fixing it, do I need to resubmit the package for review?
FAQ-000857 ✓ Has Recommendations - How can I address security issues in external web applications that are integrated with but not directly part of my Salesforce package?
FAQ-000858 ✓ Has Recommendations - Can I pass security review by fixing issues in the Salesforce part while having a documented plan to fix an external web application?
FAQ-000859 ✓ Has Recommendations - How should I implement security measures for web app integrations accessed through Salesforce?
FAQ-000860 ✓ Has Recommendations - How should subscriber orgs interact with external web applications securely?

Off-Platform and External Service Integration

FAQ-000861 ✓ Has Recommendations - What security requirements apply to off-platform components of my managed package?
FAQ-000862 ✓ Has Recommendations - What security requirements apply to applications that aren't directly embedded in Salesforce?
FAQ-000863 ✓ Has Recommendations - What are the security review requirements for an off-platform integration that uses the Salesforce APIs to push data into my package?
FAQ-000864 ✓ Has Recommendations - What are the security review guidelines for an application architecture that involves an external service accessing Salesforce metadata via OAuth?
FAQ-000865 ✓ Has Recommendations - What is the security review process for an off-platform application that connects to Salesforce via OAuth?

Package Separation and Management

FAQ-000866 ✓ Has Recommendations - How can I separate managed package security from external system security during review?
FAQ-000867 ✓ Has Recommendations - How should I handle JavaScript that is generated for use on an external website but is never executed within Salesforce?

Security Design and Architecture

FAQ-000868 ✓ Has Recommendations - How must I secure endpoints that my application makes callouts to?
FAQ-000869 ✓ Has Recommendations - How should I design external app integrations to ensure security review approval?
FAQ-000870 ✓ Has Recommendations - What security considerations apply to external system integrations?
FAQ-000871 ✓ Has Recommendations - How can I ensure my integration's design and data handling will pass the security review?
FAQ-000872 ✓ Has Recommendations - How can I implement secure external service integration without major architectural changes?
FAQ-000873 ✓ Has Recommendations - What is the recommended security architecture for a managed package that includes an external client application?
FAQ-000874 ✓ Has Recommendations - How should I handle dynamic endpoint generation for customer-specific integrations while maintaining security?
FAQ-000875 ✓ Has Recommendations - How can I ensure my application will pass security review when connecting to external platforms?

Security Scanning and Testing

FAQ-000876 ✓ Has Recommendations - What should I do if automated security scanners are unable to test my application's external endpoints?
FAQ-000877 ✓ Has Recommendations - Can I submit scan results from an alternative, industry-standard tool if the required scanners cannot be used?
FAQ-000878 ✓ Has Recommendations - What is the proper process for removing external integrations to avoid web application scan requirements?
FAQ-000879 ✓ Has Recommendations - How can I identify all external integrations in my package to remove them and waive the external scan requirement?
FAQ-000881 ✓ Has Recommendations - How should reverse proxy configurations and security scanning be handled for AppExchange applications?

TLS and Transportation Security

FAQ-000882 ✓ Has Recommendations - What are the common causes of TLS vulnerabilities within a managed package?
FAQ-000883 ✓ Has Recommendations - What security measures can protect against transportation layer attacks?
FAQ-000884 ✓ Has Recommendations - What triggers TLS/SSL security findings in managed package security reviews?

Third-Party API Integration Security

FAQ-000885 ✓ Has Recommendations - How are the security and authorization models of third-party partner integrations evaluated during the review?
FAQ-000886 ✓ Has Recommendations - How do I handle security review failures caused by third-party API configurations I cannot control?
FAQ-000887 ✓ Has Recommendations - How should I address OWASP Top 10 vulnerabilities found in an external API that my application uses?
FAQ-000888 ✓ Has Recommendations - How should I address a security finding that a third-party API my app integrates with supports outdated TLS versions?
FAQ-000889 ✓ Has Recommendations - What steps should I take when security issues are identified in third-party APIs that my managed package integrates with?
FAQ-000890 ✓ Has Recommendations - How should I proceed if the security review fails due to issues with a third-party API that I do not control?
FAQ-000891 ✓ Has Recommendations - What are the security review implications of creating managed package extensions with third-party API integrations?
FAQ-000892 ✓ Has Recommendations - How should I address security review failures related to third-party API integrations?
FAQ-000893 ✓ Has Recommendations - How can developers work with third-party API providers to address security vulnerabilities identified in external endpoints?
FAQ-000894 ✓ Has Recommendations - My application integrates with a third-party API that has a security flaw I cannot fix. How should I handle this for the security review?

Third-Party Service Evaluation

FAQ-000895 ✓ Has Recommendations - How are third-party services like captchas, which may have unminified source code or support weak TLS, evaluated during security review?
FAQ-000896 ✓ Has Recommendations - What considerations apply when applications involve third-party connectors and external hosting?

Uncategorized

FAQ-000897 ✓ Has Recommendations - What kind of documentation or scan results do I need to provide for my off-platform components?

Vulnerability Remediation and Specific Issues

FAQ-000899 ✓ Has Recommendations - How do I resolve 'Insecure Software Version' and 'Open Redirect' vulnerabilities in external integrations?

OAuth Scan Results and Complex Authentication

FAQ-000904 ✓ Has Recommendations - How can I provide web application scan results for an external API that requires OAuth or another complex authentication scheme?

OAuth Submission Process

FAQ-000905 ✓ Has Recommendations - How do I properly submit external services that use OAuth authentication for security review scanning?

Authentication and Access Configuration

FAQ-000906 ✓ Has Recommendations - What are the recommended approaches for handling authentication tokens and credentials when external applications require authentication for security ...
FAQ-000907 ✓ Has Recommendations - How should I provide testing access for external systems that require physical devices or special environments for callouts?
FAQ-000908 ✓ Has Recommendations - How can I conduct a security scan on an external API endpoint that requires authentication I don't have access to?
FAQ-000909 ✓ Has Recommendations - What is the recommended approach for designing and configuring external authenticated API endpoints to pass security review scanning?
FAQ-000910 ✓ Has Recommendations - How should authenticated scans be configured for external web servers?

Environment and Infrastructure Considerations

FAQ-000911 ✓ Has Recommendations - How can security review clearance be obtained when only external server changes are needed?
FAQ-000913 ✓ Has Recommendations - Can I use a staging environment for security scanning instead of production, and what are the requirements?

Managed Package and External Service Integration

FAQ-000914 ✓ Has Recommendations - What are the requirements for security scanning external web applications and services that integrate with managed packages?
FAQ-000915 ✓ Has Recommendations - What is the step-by-step process for scanning third-party applications integrated with my managed package?
FAQ-000916 ✓ Has Recommendations - What are the requirements for security scanning an external web service that my managed package integrates with?

Scan Configuration and Setup

FAQ-000917 ✓ Has Recommendations - How should I provide the security review team access to scan my external web application and configure endpoints properly?
FAQ-000918 ✓ Has Recommendations - Can I limit security scans to specific URLs rather than crawling entire applications or domains?
FAQ-000919 ✓ Has Recommendations - What are the common reasons for a web application scanner being unable to verify ownership of a target site?
FAQ-000920 ✓ Has Recommendations - What is the proper way to document and include all external endpoints for security review?

Scan Report Issues and Requirements

FAQ-000922 ✓ Has Recommendations - What are the common reasons a security scan report for a non-Salesforce domain might be rejected and how should I handle missing external URLs?
FAQ-000923 ✓ Has Recommendations - How should developers document and present external security testing evidence to satisfy security review requirements?
FAQ-000924 ✓ Has Recommendations - What are the requirements for web application scan results when integrating with external domains?
FAQ-000925 ✓ Has Recommendations - What are the specific requirements for ZAP Scanner Reports for non-Salesforce domains?
FAQ-000926 ✓ Has Recommendations - How do I ensure all endpoints are correctly scanned and included in my security review submission?
FAQ-000927 ✓ Has Recommendations - How should I document the results of an external scan for the security review team?
FAQ-000928 ✓ Has Recommendations - How can I confirm that my submitted web app scan results meet all security review requirements?
FAQ-000929 ✓ Has Recommendations - What should I do if my external web application scan report includes a warning that the scan was incomplete?

Scanning Tool Alternatives and Workarounds

FAQ-000930 ✓ Has Recommendations - What alternatives exist when endpoints cannot be scanned through standard security tools or when standard tools cannot be used?
FAQ-000931 ✓ Has Recommendations - What documentation alternatives exist when direct system access isn't feasible for security testing?
FAQ-000933 ✓ Has Recommendations - What are the alternatives for endpoint scanning if the automated scanner cannot access my endpoints and uploading a verification token is not feasible...
FAQ-000934 ✓ Has Recommendations - If an automated security scanner cannot scan my external application, what are the accepted alternative tools and reports?

Scanning Tool Troubleshooting

FAQ-000936 ✓ Has Recommendations - What are common issues that prevent a web application scan from running successfully?
FAQ-000937 ✓ Has Recommendations - What should I do if the required web application vulnerability scanner fails to run against my external endpoints?
FAQ-000938 ✓ Has Recommendations - What are the common troubleshooting steps if the web vulnerability scanner fails to run on my external site?
FAQ-000939 ✓ Has Recommendations - What should I do if I am unable to run a security scan against a required third-party endpoint?

Specific Security Testing Requirements

FAQ-000941 ✓ Has Recommendations - What are the common security issues found in external web application scans?
FAQ-000942 ✓ Has Recommendations - Are security scans required for Salesforce-based APIs versus external website scans?
FAQ-000943 ✓ Has Recommendations - What is the role of a Burp Suite scan in the security review process?
FAQ-000944 ✓ Has Recommendations - What are the requirements for scanning external endpoints that integrate with Salesforce applications?
FAQ-000945 ✓ Has Recommendations - What security documentation and scan results are required for an external service endpoint that is a serverless function?

Third-Party API and Service Scanning

FAQ-000948 ✓ Has Recommendations - What documentation is required if I cannot perform an active security scan on a third-party API my app integrates with?
FAQ-000949 ✓ Has Recommendations - What is the policy on scanning third-party cloud service endpoints?
FAQ-000951 ✓ Has Recommendations - How should I proceed if running a required security scan would violate third-party terms of service?
FAQ-000952 ✓ Has Recommendations - Can third-party security assessment reports be substituted for required vulnerability scans?
FAQ-000953 ✓ Has Recommendations - How should third-party API security be handled when scans aren't available?
FAQ-000954 ✓ Has Recommendations - How do I handle third-party services that I don't own or control for security scanning?
FAQ-000955 ✓ Has Recommendations - Am I required to perform a DAST scan on a third-party API that my application integrates with?
FAQ-000956 ✓ Has Recommendations - What should I do when the security scanner is unable to scan third-party API endpoints or when I cannot upload verification tokens?
FAQ-000957 ✓ Has Recommendations - How can I obtain security scan results for third-party endpoints or domains that I integrate with but don't own?

Tool-Specific Guidance

FAQ-000958 ✓ Has Recommendations - What guidance is available for using OWASP ZAP for external endpoint security assessment and third-party domain scanning?
FAQ-000959 ✓ Has Recommendations - Where can I find instructions on how to run the required security scanner against my external API endpoints?

Uncategorized

FAQ-000960 ✓ Has Recommendations - What are the most common issues identified by Burp scans and their remediation approaches?
FAQ-000961 ✓ Has Recommendations - How do I provide web application scan results for my external endpoints?

Client-Side License Validation

FAQ-001003 ✓ Has Recommendations - Can I control the visibility of objects and fields based on a license check purely on the client-side?

Secure Feature Flag Implementation

FAQ-001005 ✓ Has Recommendations - What is the secure way to implement feature flagging to control user access to different objects or components?

Authentication and Authorization Challenges

FAQ-001006 ✓ Has Recommendations - How can I handle file upload limitations when moving from frontend to backend authentication?

File Upload Vulnerability Testing and Identification

FAQ-001009 ✓ Has Recommendations - What testing approaches can help identify, reproduce, and resolve file upload security issues and vulnerabilities?

General File Upload Security Implementation

FAQ-001010 ✓ Has Recommendations - What are the common security checks and implementation approaches required to prevent malicious file uploads and implement secure file upload function...

Managed Package File Upload Security

FAQ-001011 ✓ Has Recommendations - What is the proper way to handle user-generated content and user-uploaded static resources in managed packages?

Unrestricted File Upload Prevention

FAQ-001012 ✓ Has Recommendations - What constitutes "Unrestricted File Upload" and what security measures and restrictions should be implemented to prevent vulnerabilities?

Banking CRM Security

FAQ-001014 ✓ Has Recommendations - What are the key security considerations for banking and financial CRM applications on Salesforce?

CRUD and FLS Compliance

FAQ-001015 ✓ Has Recommendations - How do I ensure CRUD/FLS compliance in Flows and related Apex code?

Custom Flow Actions Security

FAQ-001016 ✓ Has Recommendations - Can custom flow actions conditionally bypass FLS and sharing enforcement based on parent flow context?
FAQ-001017 ✓ Has Recommendations - What are the approved patterns for handling system context vs user context in flow actions?
FAQ-001018 ✓ Has Recommendations - How should Field-Level Security be handled in custom flow actions that run in different contexts?
FAQ-001019 ✓ Has Recommendations - What is the recommended security pattern for a custom flow action that needs to operate on data the running user may not have access to?

Experience Cloud Flow Security

FAQ-001020 ✓ Has Recommendations - How should flows running in system mode be handled in Experience Cloud contexts?
FAQ-001021 ✓ Has Recommendations - What is the correct security context (user vs. system mode) for Flows triggered by Experience Cloud guest users?

Flow Design Best Practices

FAQ-001022 ✓ Has Recommendations - What are the best practices for Flow design to avoid system mode security issues?
FAQ-001023 ✓ Has Recommendations - How can I properly configure flows to avoid "system without sharing" mode issues?

Flow vs Apex Security Models

FAQ-001024 ✓ Has Recommendations - How do security requirements for Apex classes compare to Flow security models?

System Context Authorization

FAQ-001025 ✓ Has Recommendations - When is it appropriate for a flow to run in system context, and how must this be handled to pass security review?

API and Integration Security

FAQ-001039 ✓ Has Recommendations - What are the security requirements and best practices for API endpoints and integrations involving guest users?

Application Design Patterns

FAQ-001041 ✓ Has Recommendations - What are the recommended design patterns for applications that require guest users to modify records while respecting platform restrictions?

CRUD and FLS Permissions

FAQ-001043 ✓ Has Recommendations - How should CRUD/FLS checks be properly implemented and handled for guest user operations, including when to bypass them and what alternatives exist?

Authentication and Data Transfer Security

FAQ-001052 ✓ Has Recommendations - How can I securely manage authentication and data transfer between my Salesforce package and an external application server?

Multi-Platform Security Considerations

FAQ-001054 ✓ Has Recommendations - What are the primary security considerations for a hybrid application with components on both Salesforce and an external platform?

Salesforce-Heroku Integration Security

FAQ-001055 ✓ Has Recommendations - What security considerations should I address for hybrid Salesforce-Heroku applications during development and distribution?

Authorization Vulnerability Understanding and Resolution

FAQ-001057 ✓ Has Recommendations - What does an Authorization Vulnerability refer to in a security review, and what steps should I take to understand and resolve it?

Insurance Industry Security

FAQ-001061 ✓ Has Recommendations - What security considerations are specific to insurance verification applications?

JWT Authentication Flow Design

FAQ-001062 ✓ Has Recommendations - How should I design and implement a secure JWT authentication flow for my package that will pass the AppExchange Security Review?

JWT Documentation and Security Review

FAQ-001063 ✓ Has Recommendations - How should JWT tokens be documented and handled to avoid security review issues, and what are the differences between session tokens and functional JW...

JWT Key Management and Storage

FAQ-001065 ✓ Has Recommendations - What are the best practices for securely storing, managing, and rotating JWT private keys and secrets in managed packages?

Data Security and Sharing

FAQ-001067 ✓ Has Recommendations - How can I ensure proper data security and sharing in an automated lead routing application?

General Security Considerations

FAQ-001068 ✓ Has Recommendations - What are the common security considerations for an application that automates data routing and assignment?

Component Exposure and Targets

FAQ-001080 ✓ Has Recommendations - What are the recommended targets to use when a Lightning component must be exposed?

IsExposed Metadata Configuration

FAQ-001081 ✓ Has Recommendations - When should Lightning Web Components have their isExposed metadata set to true or false for security compliance and what are the correct settings to p...

Secure Component Distribution

FAQ-001082 ✓ Has Recommendations - How can Lightning Web Components be made available to customers for use in custom pages while maintaining security compliance?

Security Risks and Vulnerabilities

FAQ-001083 ✓ Has Recommendations - What are the security risks associated with setting isExposed to true on a Lightning Web Component?

Callback Security Implementation

FAQ-001085 ✓ Has Recommendations - How should developers properly implement $A.getCallback() to meet security requirements?

Component Styling Security

FAQ-001086 ✓ Has Recommendations - What are the approved alternatives for styling Lightning namespace components?

Quick Action Sizing Security

FAQ-001087 ✓ Has Recommendations - How can I manage Quick Action size in Aura components without causing security issues?

General Security Considerations

FAQ-001088 ✓ Has Recommendations - What are the security considerations when using Lightning Container Components?

Alternative Communication Methods

FAQ-001092 ✓ Has Recommendations - What are secure alternatives to using exposed Lightning Message Service (LMS) channels for component communication?
FAQ-001093 ✓ Has Recommendations - What is the recommended migration path for customers who rely on exposed Lightning Message Channels that must now be made private?

Cross-Namespace and Cross-Component Communication

FAQ-001094 ✓ Has Recommendations - What is the recommended way for components in different namespaces to communicate securely?
FAQ-001095 ✓ Has Recommendations - How can developers safely enable component subscriptions while maintaining security compliance?

General Security and Protection

FAQ-001097 ✓ Has Recommendations - How should I properly configure Lightning Message Service (LMS) channels to avoid security vulnerabilities?

IsExposed Configuration and Requirements

FAQ-001098 ✓ Has Recommendations - When is it acceptable to set isExposed=true for Lightning Message Channels, and what are the requirements and risks?

Managed Package Deployment and Updates

FAQ-001099 ✓ Has Recommendations - How can I update Lightning Message Channel exposure settings in deployed managed packages?

Security Review and Compliance

FAQ-001100 ✓ Has Recommendations - What are the best practices for Lightning Message Service to pass security review and avoid failures?
FAQ-001101 ✓ Has Recommendations - Will using bubbles and composed flags in Lightning Web Components cause security review failures?
FAQ-001102 ✓ Has Recommendations - What are the specific review criteria for Lightning Component Bundle exposure settings?

Security Risks and Implications

FAQ-001103 ✓ Has Recommendations - What are the security implications and risks of exposing Lightning Message Channels?

Specific Use Cases and Justifications

FAQ-001104 ✓ Has Recommendations - Is it acceptable to set isExposed to true for Lightning Message Channels that don't expose sensitive information or for specific use cases?
FAQ-001105 ✓ Has Recommendations - How can I safely expose message channels between packages without failing security review?

Uncategorized

FAQ-001106 ✓ Has Recommendations - How should Lightning Message Channel exposure be configured in managed packages?

Event Propagation Security

FAQ-001107 ✓ Has Recommendations - Are there acceptable use cases for using bubbles: true and composed: true in LWC events, and will this fail security review?

Managed Package Restrictions

FAQ-001109 ✓ Has Recommendations - What are the restrictions and scope limitations for dynamic DOM manipulation in managed packages?

Security Review Standards

FAQ-001110 ✓ Has Recommendations - How do I ensure that manual DOM manipulation in LWC components meets security review standards?

Security Risks and Precautions

FAQ-001111 ✓ Has Recommendations - What are the security risks of using `lwc:dom="manual"` and what precautions must be taken?

Third-Party Library Integration

FAQ-001112 ✓ Has Recommendations - What are the requirements and considerations for using `lwc:dom="manual"` with third-party libraries like D3.js and charting frameworks?

AppExchange Security Configuration

FAQ-001113 ✓ Has Recommendations - How should I set up the security configuration for a Lightning App intended for AppExchange review?

Apex Integration and Server-Side Security

FAQ-001114 ✓ Has Recommendations - How do I address security concerns about @AuraEnabled methods being accessible to other users and securely pass dynamic data from Apex to JavaScript?

Asynchronous Code and Timing Functions

FAQ-001115 ✓ Has Recommendations - How should asynchronous operations like setTimeout be handled securely in Lightning components and LWC?
FAQ-001116 ✓ Has Recommendations - Are there security restrictions on using modern JavaScript features like async/await in Lightning components?

Aura to LWC Migration and Compatibility

FAQ-001117 ✓ Has Recommendations - Do Aura-specific security requirements and vulnerabilities apply to Lightning Web Components?
FAQ-001118 ✓ Has Recommendations - How do I address access control violations in Aura components and what are the equivalent security practices for LWC?
FAQ-001119 ✓ Has Recommendations - What security considerations apply when migrating from Aura to Lightning Web Runtime (LWR) framework?

Component Design and Security Compliance

FAQ-001121 ✓ Has Recommendations - How do I design LWC components that comply with security requirements while maintaining necessary UI functionality?
FAQ-001122 ✓ Has Recommendations - How should I handle security findings for LWCs that require Lightning Message Service with Application Scope?
FAQ-001123 ✓ Has Recommendations - How can I resolve JavaScript context and security issues in Salesforce applications?
FAQ-001124 ✓ Has Recommendations - What are security-approved methods for implementing CTI features like Click-to-Dial in Lightning Web Components?

DOM Manipulation and Injection Vulnerabilities

FAQ-001126 ✓ Has Recommendations - How can I safely construct URLs and handle URL manipulation in LWC without introducing Client DOM Code Injection vulnerabilities?
FAQ-001127 ✓ Has Recommendations - How can I prevent JavaScript DOM vulnerabilities in Salesforce applications?
FAQ-001128 ✓ Has Recommendations - What are the security risks associated with dynamically creating and injecting Lightning Web Components?

Data Sanitization and Escaping

FAQ-001129 ⚠ Error - How do I properly sanitize data for use with aura:unescapedHtml and handle escaping vulnerabilities in LWC?
FAQ-001130 ✓ Has Recommendations - How can I safely inject rich text content containing iframes into Lightning Web Components without triggering DOM injection violations?
FAQ-001131 ✓ Has Recommendations - Are inputs from LWC design attributes considered untrusted and what constitutes user-controlled input?

Inline JavaScript and Code Placement

FAQ-001132 ⚠ Error - What constitutes "inline JavaScript" that's prohibited in Lightning Web Components and how can I identify the source of this issue?
FAQ-001133 ✓ Has Recommendations - What are the approved methods for handling JavaScript in web links while maintaining security?

Managed Package Requirements

FAQ-001134 ✓ Has Recommendations - What are the current requirements and security considerations for JavaScript usage in managed packages?

Script Loading and Static Resources

FAQ-001135 ✓ Has Recommendations - What are the requirements for Lightning-ready applications using custom JavaScript libraries?
FAQ-001136 ✓ Has Recommendations - What does "Lightning: Improper Script Load Vulnerability" refer to and how can it be fixed?
FAQ-001137 ⚠ Error - How do I properly handle JavaScript that cannot be stored as static resources or has domain-specific loading requirements?
FAQ-001138 ✓ Has Recommendations - What are the security requirements and risks for runtime script loading in Lightning components?
FAQ-001139 ✓ Has Recommendations - How do I properly load external JavaScript files in Lightning Web Components using platformResourceLoader?

Third-Party Libraries and External APIs

FAQ-001142 ✓ Has Recommendations - Are there security restrictions on using third-party JavaScript libraries that manipulate the DOM?
FAQ-001143 ✓ Has Recommendations - What are the key security considerations for LWC applications calling external APIs?
FAQ-001144 ✓ Has Recommendations - How should I prepare for potential security review findings involving LWC and external API integrations?
FAQ-001145 ✓ Has Recommendations - What are the security implications of using lightning:container versus lwc:dom='manual' for embedding React components?

Uncategorized

FAQ-001148 ✓ Has Recommendations - What security measures are required for @AuraEnabled methods that accept configuration parameters?

Visualforce Security Considerations

FAQ-001149 ⚠ Error - Are JavaScript code issues in Visualforce pages considered security vulnerabilities and how should they be handled?

External Library Compatibility

FAQ-001151 ✓ Has Recommendations - How do I handle external JavaScript libraries that are incompatible with Lightning Web Security (LWS)?

Migration Security Implications

FAQ-001152 ✓ Has Recommendations - What are the security implications and advantages of migrating from Aura to Lightning Web Components with Lightning Web Security?

Security Review Impact

FAQ-001153 ✓ Has Recommendations - Will security review automatically fail applications using external JavaScript libraries that are incompatible with Lightning Web Security (LWS)?

Access Control Remediation

FAQ-001204 ✓ Has Recommendations - How can I remediate Access Control Violation issues when the suggested fixes cannot be implemented due to managed package constraints?

Locked Component Modifications

FAQ-001205 ✓ Has Recommendations - How should I address security requirements or vulnerabilities related to locked, non-editable components or metadata settings in my package?

Managed Object Security

FAQ-001206 ✓ Has Recommendations - What are acceptable approaches for managing security on managed objects within the application context?

Visibility and Exposure Controls

FAQ-001207 ✓ Has Recommendations - What alternatives exist when visibility settings or isExposed configurations cannot be changed due to managed package constraints?

Additional Security Checks Beyond Automation

FAQ-001208 ✓ Has Recommendations - What additional security checks are performed during the official AppExchange Security Review beyond automated scanning tools?
FAQ-001209 ✓ Has Recommendations - What are the next steps when an app fails security review for issues not detected by automated scanning tools?

Identifying Missed Vulnerabilities

FAQ-001211 ✓ Has Recommendations - How can developers identify additional security vulnerabilities that standard scanning tools might miss?

Replicating Official Review Process

FAQ-001212 ✓ Has Recommendations - How can developers align their internal security scanning and testing processes with Salesforce's official AppExchange Security Review methodology?

Scanner Configuration and Optimization

FAQ-001213 ✓ Has Recommendations - How can developers optimize their security scanning configuration and processes to achieve comprehensive vulnerability detection?

AppExchange Listing and Submission

FAQ-001218 ✓ Has Recommendations - Is a Marketing Cloud App component required for my package to be listed on the AppExchange?
FAQ-001219 ✓ Has Recommendations - Where can I find information on the packaging and security review process for Marketing Cloud applications?

Integration and Component Security

FAQ-001220 ✓ Has Recommendations - What are the security requirements for Marketing Cloud app components?

Package Installation and URLs

FAQ-001227 ✓ Has Recommendations - What are the security considerations for handling redirects across different Marketing Cloud stacks?

Packaging and Delivery Requirements

FAQ-001230 ✓ Has Recommendations - What are the requirements for Marketing Cloud app components in AppExchange packages?

Security Review Process

FAQ-001232 ✓ Has Recommendations - How should I handle security review for non-traditional Salesforce packages like Marketing Cloud integrations?
FAQ-001233 ✓ Has Recommendations - How does the security review process differ for AppExchange apps that extend Marketing Cloud?

Minified JavaScript Alternatives

FAQ-001234 ✓ Has Recommendations - What alternatives exist to using minified JavaScript in managed packages?

Third-Party Service Exceptions

FAQ-001236 ✓ Has Recommendations - Can popular third-party services like hCaptcha be considered exceptions for unminified source code requirements?

Data Storage and Encryption

FAQ-001239 ✓ Has Recommendations - What are the correct encryption and storage practices for sensitive data in mobile applications integrated with Salesforce?

Security Documentation Requirements

FAQ-001242 ✓ Has Recommendations - What documentation should I provide for cross-platform security architecture?

Dynamic Record Creation Security

FAQ-001243 ✓ Has Recommendations - What are the common security pitfalls for an application that allows users to configure and create records dynamically?

General Multi-Vulnerability Remediation Strategy

FAQ-001245 ✓ Has Recommendations - What is the most efficient way to address a security report with many different types of vulnerabilities?

Salesforce-Specific Security Vulnerabilities

FAQ-001246 ✓ Has Recommendations - How do I address multiple Salesforce-specific security vulnerabilities including SOQL/SOSL injection, sharing, FLS, CRUD, DML loops, software versions...

Cross-Namespace Communication Security

FAQ-001250 ✓ Has Recommendations - What are the security implications of cross-namespace event communication?

Development Framework Security

FAQ-001252 ✓ Has Recommendations - What are the security considerations for development frameworks that require additional setup?

Package Installation and Security Reviews

FAQ-001271 ✓ Has Recommendations - What are the security review implications of installing other AppExchange packages into an OEM embedded org?
FAQ-001272 ✓ Has Recommendations - Can I install other AppExchange apps and write additional Apex in OEM orgs?

Platform Features and Capabilities

FAQ-001274 ✓ Has Recommendations - What can be added to OEM embedded orgs beyond the original managed package?

AppExchange Security Review

FAQ-001276 ✓ Has Recommendations - How can I resolve redirect-related security issues and ensure URL redirect functionality passes AppExchange security review?

Component-Specific Redirect Security

FAQ-001277 ✓ Has Recommendations - What are the security best practices for handling URL redirection from custom components and Lightning components?

Dynamic and Return URL Handling

FAQ-001278 ✓ Has Recommendations - How should I handle redirect vulnerabilities and open redirect scenarios when URLs are dynamically set?

General Open Redirect Prevention

FAQ-001279 ✓ Has Recommendations - What are the security requirements and best practices for preventing open redirect vulnerabilities in applications?

General Security Considerations

FAQ-001280 ✓ Has Recommendations - What are the security considerations for URLs used in callouts or redirects?

Visualforce Redirect Security

FAQ-001283 ✓ Has Recommendations - What are the approved methods and best practices for handling page redirects and preventing open redirect vulnerabilities in Visualforce?

Open Source Distribution Security

FAQ-001284 ✓ Has Recommendations - What are the security considerations for distributing an open-source application on the AppExchange?

Developer PCI Responsibilities

FAQ-001286 ✓ Has Recommendations - What PCI compliance responsibilities do app developers have when handling payment data?

Dependency Documentation Requirements

FAQ-001332 ✓ Has Recommendations - How should I document dependencies on other AppExchange packages during security review?

Extension Package Review Process

FAQ-001333 ✓ Has Recommendations - What are the requirements and process for submitting extension packages for security review?

Package Generation Dependencies

FAQ-001334 ✓ Has Recommendations - What are the Security Review requirements for second-generation (2GP) packages that depend on first-generation (1GP) packages?

2GP Package Structure and Best Practices

FAQ-001336 ✓ Has Recommendations - What are the best practices for structuring complex applications and multi-package solutions using 2nd-Generation Managed Packaging?

Component Architecture and Data Flow Security

FAQ-001338 ✓ Has Recommendations - What are the security considerations and best practices for component architecture, data flow, and handling large-scale operations in managed packages...

Mixed Package Component Management

FAQ-001339 ✓ Has Recommendations - What are the considerations and security implications when mixing managed and unmanaged package components or creating extension packages?

Multi-Package Design Patterns

FAQ-001340 ✓ Has Recommendations - What design patterns and best practices should I follow to ensure my multi-package solution design won't cause security review problems?

Package Migration and Dependencies

FAQ-001341 ✓ Has Recommendations - What are the key considerations and security aspects when managing inter-package dependencies during migration from first-generation to second-generat...

Security Review Process and Communication

FAQ-001343 ✓ Has Recommendations - How do different packaging strategies impact security review requirements and how can I discuss complex packaging strategies with the security team?

Package Version Not Appearing in Security Tools

FAQ-001417 ✓ Has Recommendations - Why is my package version not appearing in security scanning tools and what should I do to troubleshoot this?

Package Version Selection and Dropdown Issues

FAQ-001418 ✓ Has Recommendations - How do I resolve issues with package version selection and empty dropdowns in security scanning tools?

Source Scanner Access and Functionality Problems

FAQ-001420 ✓ Has Recommendations - What should I do when I'm unable to access or run the Source Scanner on my package?

Managed Package Security

FAQ-001424 ✓ Has Recommendations - What constitutes proper password management practices and implementation in managed packages?
FAQ-001425 ✓ Has Recommendations - When is using System.setPassword() acceptable in managed packages?
FAQ-001426 ✓ Has Recommendations - What are the security requirements for password handling and storage in managed packages?

Password Echo Prevention

FAQ-001427 ✓ Has Recommendations - How should password echo issues be properly addressed in managed packages and user interfaces?
FAQ-001428 ✓ Has Recommendations - What constitutes a 'password echo' vulnerability and how can I prevent it?
FAQ-001429 ✓ Has Recommendations - How should I handle API key display in user interfaces to address Password Echo findings?
FAQ-001430 ✓ Has Recommendations - How should I properly implement password change functionality without echoing sensitive data?

Password Encryption and Storage

FAQ-001431 ✓ Has Recommendations - What information should be provided about password management and secure login options?

Password Policy Requirements

FAQ-001436 ✓ Has Recommendations - What are the password management requirements for applications that integrate with Salesforce?

Security Waivers and Exceptions

FAQ-001440 ✓ Has Recommendations - Can I request a waiver for a password policy requirement if I can provide a strong security justification?

Data Handling and Storage Security

FAQ-001445 ✓ Has Recommendations - What are the security requirements and best practices for applications that handle, store, or process payment and financial data?

Resource Constraint Security Balance

FAQ-001464 ✓ Has Recommendations - How do I balance the need for security enforcement with platform limits like CPU time or query complexity?

Schema Lookup Optimization

FAQ-001465 ✓ Has Recommendations - How can I optimize my code to avoid expensive schema lookups identified in security reviews?

Broad Permission Justification

FAQ-001471 ✓ Has Recommendations - How do I justify broad permissions like "View All" and "Modify All" that are essential for my application's administrative functions?
FAQ-001472 ✓ Has Recommendations - Why is including broad permissions like "View All" on standard objects in a packaged permission set considered a security risk?
FAQ-001473 ✓ Has Recommendations - When are viewAllRecord and modifyAllRecord permissions acceptable in permission sets?
FAQ-001474 ✓ Has Recommendations - How should "View All" permissions be justified for specific functionality like search and sync?
FAQ-001475 ✓ Has Recommendations - How do I justify full object access permissions when they are required for core business functionality?

Custom Permissions and Bypass Logic

FAQ-001476 ✓ Has Recommendations - How should I manage custom permissions during package installation to ensure my bypass logic works correctly?
FAQ-001477 ✓ Has Recommendations - How can developers implement bypass mechanisms in managed packages that work correctly with "Install for All Users" option?

DML Operations on Permission Sets

FAQ-001479 ✓ Has Recommendations - Can managed packages create or update Permission Sets through Apex DML operations?

External Credentials and Automated Users

FAQ-001481 ✓ Has Recommendations - What is the correct way to grant permissions to an automated process or user to access an External Credential?

Permission Set Design and Best Practices

FAQ-001482 ✓ Has Recommendations - How do I determine the minimum required permissions for my application to function correctly?
FAQ-001483 ✓ Has Recommendations - What are the best practices for defining permission sets for a managed package?
FAQ-001485 ✓ Has Recommendations - What is the recommended method for assigning permissions for my app's objects and classes to end-users?
FAQ-001486 ✓ Has Recommendations - What guidelines should I follow when setting up permission sets for my app?
FAQ-001487 ✓ Has Recommendations - What's the proper way to implement permission sets for managed package users?

Permission Validation and Querying

FAQ-001488 ✓ Has Recommendations - When are FLS checks still required despite having proper permission sets configured?
FAQ-001490 ✓ Has Recommendations - How do I properly query user permissions with SECURITY_ENFORCED when users lack certain system permissions?
FAQ-001491 ✓ Has Recommendations - Do permission sets adequately address CRUD/FLS security requirements?
FAQ-001492 ✓ Has Recommendations - What is the proper way to check user permissions for setup and configuration objects?
FAQ-001493 ✓ Has Recommendations - When are additional code-level security checks required beyond permission sets?
FAQ-001494 ✓ Has Recommendations - How do permission sets relate to FLS security requirements?
FAQ-001495 ✓ Has Recommendations - How can I query a user's assigned permission sets without requiring administrative permissions?

Common Security Pitfalls

FAQ-001497 ✓ Has Recommendations - What are the common security pitfalls when working with both Visualforce pages and Lightning components?

General Security Requirements Comparison

FAQ-001498 ⚠ Error - What are the differences in security requirements between Visualforce pages and Lightning Components?

JavaScript Security Requirements

FAQ-001499 ✓ Has Recommendations - What are the specific requirements for JavaScript usage in Visualforce pages versus Lightning Components?

Ongoing Security Review Preparation

FAQ-001504 ✓ Has Recommendations - What ongoing security considerations should I prepare for in subsequent product reviews?

Post-Approval Vulnerability Management

FAQ-001505 ✓ Has Recommendations - How does the security review process handle vulnerabilities discovered by a partner after an app is already approved?

Architecture and Design Review

FAQ-001508 ✓ Has Recommendations - Is it possible to get a security architecture and design review for my application before I start development?
FAQ-001509 ✓ Has Recommendations - What are the key architectural security principles I should follow when building a new application?

Code Review Sessions

FAQ-001511 ✓ Has Recommendations - Is it possible to schedule a code review session with the security team before resubmitting my application?
FAQ-001512 ✓ Has Recommendations - How can I schedule a pre-review code assessment to address potential issues before security review?
FAQ-001513 ✓ Has Recommendations - What are the benefits of conducting a pre-review code assessment with the security team?

Complex Architecture and Integration Support

FAQ-001514 ✓ Has Recommendations - What is the best approach for discussing complex application architectures during security review?
FAQ-001515 ✓ Has Recommendations - What is the process for discussing a complex security architecture that requires significant exceptions?

Feature Development Guidance

FAQ-001516 ✓ Has Recommendations - How can I get security guidance on a new feature before starting development?
FAQ-001518 ✓ Has Recommendations - What security considerations should I plan for future product enhancements?

General Security Architecture Resources

FAQ-001519 ✓ Has Recommendations - What is the process for getting guidance on potential security issues prior to a formal review?
FAQ-001520 ✓ Has Recommendations - Are there resources or consultations available to help with initial security architecture?
FAQ-001521 ✓ Has Recommendations - How can I ensure my app's architecture meets security standards from the start of development?

Pre-Approval and Validation

FAQ-001522 ✓ Has Recommendations - How can I validate security approaches for new features before implementation?
FAQ-001523 ✓ Has Recommendations - How can I determine the security review implications of a planned update to my application's architecture?
FAQ-001525 ✓ Has Recommendations - How can I get pre-approval for an alternative architectural approach to handling credentials?
FAQ-001526 ✓ Has Recommendations - Is it possible to review my planned technical solutions for security issues with the review team prior to submission?
FAQ-001527 ✓ Has Recommendations - How do I demonstrate current security practices and get pre-approval guidance before submitting for security review?
FAQ-001528 ✓ Has Recommendations - How can I validate that the architecture of my complex, multi-system integration will meet security standards?
FAQ-001529 ✓ Has Recommendations - What technical approaches and security measures should I validate before full security review submission?

Pre-Submission Documentation Review

FAQ-001530 ✓ Has Recommendations - How can I get pre-submission review of security documentation?
FAQ-001532 ✓ Has Recommendations - Can I schedule a consultation to review the results of my own security scan before official submission?
FAQ-001533 ✓ Has Recommendations - What information should I prepare to facilitate a pre-review of my application?
FAQ-001534 ✓ Has Recommendations - Is it possible to have my security documentation reviewed by an expert before I submit my package for official review?

Proactive Consultations and Office Hours

FAQ-001535 ✓ Has Recommendations - Can I schedule a consultation to discuss the security implications of my product's future enhancements?
FAQ-001536 ✓ Has Recommendations - Is it possible to schedule a proactive consultation with the security team before submitting my app for its first review?
FAQ-001537 ✓ Has Recommendations - What are the benefits of a pre-emptive security consultation?
FAQ-001538 ✓ Has Recommendations - Are there office hours or consultations available to discuss the security implications of a proposed design?
FAQ-001539 ✓ Has Recommendations - What is the process for getting security guidance during the development phase?

Readiness Assessment and Pre-Checks

FAQ-001540 ✓ Has Recommendations - Is there a way to get a pre-check of my application before a formal security review submission?
FAQ-001541 ✓ Has Recommendations - What proactive steps should I take before submitting for security review?
FAQ-001542 ✓ Has Recommendations - How can I proactively review my package submission to identify potential issues before formal review?
FAQ-001543 ✓ Has Recommendations - How can I proactively ensure my application's architecture meets security standards before the official review?
FAQ-001544 ✓ Has Recommendations - Is there a process to get an informal "readiness" check before submitting an app for its official security review?
FAQ-001545 ✓ Has Recommendations - What proactive steps ensure readiness for security review discussions of sophisticated integrations?
FAQ-001546 ✓ Has Recommendations - How can I get a pre-assessment of my application's design to identify potential security issues before submission?
FAQ-001547 ✓ Has Recommendations - How can I get a pre-submission review to ensure my application is ready for security review?
FAQ-001548 ✓ Has Recommendations - Is it possible to get a preliminary, informal review of my application before the official security review submission?
FAQ-001549 ✓ Has Recommendations - Is it possible to get a pre-review of my app's architecture and security model before submitting for the official security review?

Vulnerability and Compliance Assessment

FAQ-001551 ✓ Has Recommendations - How can I get feedback on my security solution design before submitting for formal review?
FAQ-001552 ✓ Has Recommendations - Is it possible to get a pre-review of potential vulnerabilities before a formal security review submission?
FAQ-001553 ✓ Has Recommendations - Can I get my implementation of FLS and external service callouts reviewed for compliance before official submission?

Advance Consultation Booking

FAQ-001554 ✓ Has Recommendations - Is it advisable to book a security consultation in advance while waiting for review results or before submitting for security review?

Contingent Meeting Scheduling

FAQ-001555 ✓ Has Recommendations - Is it possible to schedule a meeting in advance to discuss potential security findings or vulnerabilities contingent on review results?

Timely Access to Consultations

FAQ-001557 ✓ Has Recommendations - How can I ensure I can get a timely consultation after my security review results are available?

Public Endpoint Security Standards

FAQ-001558 ✓ Has Recommendations - What are the security requirements for data exposed via public API endpoints?

Public URL Security Requirements

FAQ-001561 ✓ Has Recommendations - What level of mitigation is required for data accessible via public URLs?

Data Visibility and Access Control

FAQ-001564 ✓ Has Recommendations - How can I ensure that reports and dashboards in my application correctly enforce user data visibility?

General Security Considerations

FAQ-001565 ✓ Has Recommendations - What are the common security considerations when implementing a rich text or document editor within an application?

Salesforce-Specific Implementation Security

FAQ-001567 ✓ Has Recommendations - What are the security best practices for implementing a rich text or code editor within a Visualforce page or Lightning component?

Custom Framework Security

FAQ-001569 ✓ Has Recommendations - What are the security risks and best practices when building custom frameworks for Salesforce applications?

SDK Security Rules and Example Code

FAQ-001570 ✓ Has Recommendations - My package is a developer SDK or framework. How are security rules applied to example code or code meant to be extended by developers?

Security Responsibility Documentation

FAQ-001571 ✓ Has Recommendations - How can I document that certain security controls are the responsibility of the developer implementing my framework?

SOQL Injection and Dynamic Queries

FAQ-001573 ✓ Has Recommendations - Does using `WITH USER_MODE` in a dynamic SOQL query fully mitigate all SOQL injection risks?

SYSTEM_MODE vs USER_MODE Selection

FAQ-001574 ✓ Has Recommendations - When is it appropriate to use SYSTEM_MODE versus USER_MODE for custom settings operations?

Scanner and Tool Recognition Issues

FAQ-001575 ✓ Has Recommendations - Why does my scanner report an FLS issue even when I use user mode DML operations or WITH User_Mode?

Security Validation and Demonstration

FAQ-001576 ✓ Has Recommendations - How can I demonstrate that user-mode queries provide adequate security protection?

Sharing vs Security Enforcement

FAQ-001577 ✓ Has Recommendations - If my class is declared `with sharing`, do I still need to add `WITH SECURITY_ENFORCED` to my SOQL queries?

Specific Implementation Scenarios

FAQ-001578 ✓ Has Recommendations - How should USER_MODE be implemented for specific scenarios like ContentDistribution and custom object fields to satisfy security scans and handle comp...

USER_MODE vs Manual Security Checks

FAQ-001579 ✓ Has Recommendations - Is USER_MODE an acceptable alternative to manual isAccessible() checks for CRUD/FLS enforcement, and what are the considerations?

USER_MODE vs SECURITY_ENFORCED Comparison

FAQ-001580 ✓ Has Recommendations - Does using WITH USER_MODE or WITH SECURITY_ENFORCED in SOQL satisfy all CRUD/FLS enforcement requirements?

WITH SECURITY_ENFORCED Sufficiency

FAQ-001581 ✓ Has Recommendations - Is using WITH SECURITY_ENFORCED in SOQL queries sufficient for security compliance?

Application-Level Security Concerns

FAQ-001582 ✓ Has Recommendations - How do I address SOQL injection concerns in flexible lookup components and application-accessible code that accept dynamic WHERE clauses?
FAQ-001583 ✓ Has Recommendations - How should third-party API endpoints be scanned when direct access to upload abuse prevention tokens isn't available?
FAQ-001584 ✓ Has Recommendations - What are acceptable approaches for handling user-generated query conditions?
FAQ-001585 ✓ Has Recommendations - How do I properly handle SOQL injection concerns in Lightning Web Component design attributes?

Best Practices and Prevention Strategies

FAQ-001586 ✓ Has Recommendations - What are the best practices for preventing SOQL injection vulnerabilities in dynamic queries?
FAQ-001587 ✓ Has Recommendations - What are the most common causes of SOQL injection and sharing violation vulnerabilities?
FAQ-001588 ✓ Has Recommendations - How can I prevent SOQL injection in dynamic query builders while maintaining flexibility?

Dynamic SOQL Query Construction

FAQ-001589 ✓ Has Recommendations - How can I safely build dynamic SOQL queries when object and field names are determined at runtime?
FAQ-001590 ✓ Has Recommendations - What is the recommended way to build secure dynamic SOQL queries?
FAQ-001591 ✓ Has Recommendations - What are the secure alternatives to dynamic SOQL when standard binding isn't possible for SObject or field names?
FAQ-001592 ✓ Has Recommendations - What is the recommended approach to secure dynamic queries that are based on user input?
FAQ-001593 ✓ Has Recommendations - How do I implement bind variables with completely dynamic SOQL queries?
FAQ-001594 ✓ Has Recommendations - What are the recommended alternatives to dynamic SOQL queries for @AuraEnabled methods?

False Positive Identification and Documentation

FAQ-001596 ✓ Has Recommendations - How can I determine if a potential SOQL Injection vulnerability flagged by a scanner is a false positive?
FAQ-001597 ✓ Has Recommendations - How should I handle and document SOQL injection warnings that I believe are false positives?
FAQ-001598 ✓ Has Recommendations - How can I prove that a dynamic SOQL query is safe from injection because its variables are derived from secure sources?
FAQ-001600 ✓ Has Recommendations - What should I do if I believe the security scanner has incorrectly identified a SOQL injection vulnerability?
FAQ-001601 ✓ Has Recommendations - What documentation is needed to prove SOQL injection vulnerabilities are incorrect?
FAQ-001602 ✓ Has Recommendations - How do I correctly resolve or document a false positive for SOQL injection?
FAQ-001603 ✓ Has Recommendations - How do I properly document a false positive for a SOQL injection where user input only controls the fields list, not the WHERE clause?
FAQ-001604 ✓ Has Recommendations - My dynamic SOQL query is being flagged, but I've implemented a blacklist to prevent access to sensitive objects. How should I document this?

Input Sanitization and Escaping

FAQ-001605 ✓ Has Recommendations - What are the best practices for escaping different types of user input in dynamic SOQL queries?
FAQ-001606 ✓ Has Recommendations - How can SOQL injection issues be resolved when String.escapeSingleQuotes() doesn't satisfy scanners?
FAQ-001607 ✓ Has Recommendations - Why might using `String.escapeSingleQuotes()` be insufficient to prevent all types of SOQL injection?
FAQ-001608 ✓ Has Recommendations - Is it acceptable to apply SOQL injection mitigation, like `escapeSingleQuotes`, to an entire dynamically generated query?
FAQ-001609 ✓ Has Recommendations - How do I properly resolve SOQL injection vulnerabilities beyond using String.escapeSingleQuotes?
FAQ-001610 ✓ Has Recommendations - How do I properly escape single quotes in SOSL queries without breaking functionality?
FAQ-001611 ✓ Has Recommendations - What is the correct way to handle special characters in SOSL queries to prevent injection?
FAQ-001612 ✓ Has Recommendations - Do I need to escape configuration parameters that can only be set by a user with "Customize Application" permissions?

Secure Implementation Documentation

FAQ-001613 ✓ Has Recommendations - What are the approved methods for handling dynamic queries with client-provided parameters while maintaining security?
FAQ-001614 ✓ Has Recommendations - How can I demonstrate that dynamic SOQL queries are implemented securely with proper safeguards?
FAQ-001615 ✓ Has Recommendations - How do I justify dynamic queries with proper validation mechanisms as secure implementations?
FAQ-001616 ✓ Has Recommendations - What specific security measures should I highlight when defending a dynamic SOQL implementation?
FAQ-001617 ✓ Has Recommendations - How can I demonstrate that my dynamic SOQL query is safe and not vulnerable to injection?

Security Review and Vulnerability Assessment

FAQ-001618 ✓ Has Recommendations - How can SQL injection findings be properly evaluated when database access isn't actually possible?
FAQ-001619 ✓ Has Recommendations - How should developers address SQL injection vulnerabilities identified in security scans?
FAQ-001620 ✓ Has Recommendations - How should I properly implement dynamic SOQL queries to avoid security review failures?
FAQ-001621 ✓ Has Recommendations - What specific modifications are needed to fix SOQL injection issues?
FAQ-001622 ✓ Has Recommendations - Why might my dynamic SOQL query still be flagged as a vulnerability even after applying fixes?
FAQ-001623 ✓ Has Recommendations - How should I handle SQL Injection concerns when they appear in security scans of Salesforce applications?
FAQ-001624 ✓ Has Recommendations - How do I investigate and validate SQL injection vulnerabilities reported in security scans?

Validation Rules and Access Controls

FAQ-001626 ✓ Has Recommendations - Is using a blacklist of objects sufficient to prevent information disclosure vulnerabilities in dynamic SOQL?
FAQ-001627 ✓ Has Recommendations - Are validation rules sufficient for preventing SQL injection, or is additional Apex validation required?
FAQ-001628 ✓ Has Recommendations - Is adding "WITH USER_MODE" sufficient to resolve SOQL injection vulnerabilities in dynamic queries?
FAQ-001629 ✓ Has Recommendations - How should I implement field whitelisting and access validation for dynamic SOQL construction?
FAQ-001630 ✓ Has Recommendations - How should I explain object-level security controls in dynamic query implementations?

False Positive Identification and Documentation

FAQ-001638 ✓ Has Recommendations - How should I handle security findings related to standard Salesforce functionality that I cannot control or modify?
FAQ-001639 ✓ Has Recommendations - How do I properly document Connected App consumer keys and other default Salesforce configurations as false positives?
FAQ-001640 ✓ Has Recommendations - How can I distinguish between security vulnerabilities in my managed package code versus underlying Salesforce platform functionality?
FAQ-001642 ✓ Has Recommendations - When are security findings actually false positives related to standard functionality?

Information Disclosure Vulnerabilities

FAQ-001644 ✓ Has Recommendations - How do I address and understand Information Disclosure Vulnerability findings in security reviews?

Platform Changes and Updates

FAQ-001645 ✓ Has Recommendations - How should I address security vulnerabilities and compliance issues related to platform changes, bugs, or limitations?

Platform Responsibility and Remediation

FAQ-001646 ✓ Has Recommendations - What should I do when security vulnerabilities are found in standard Salesforce components, platform-provided functionality, or system-provided classe...

Platform vs Package Vulnerability Distinction

FAQ-001647 ✓ Has Recommendations - How can developers distinguish between package-specific security issues and Salesforce platform vulnerabilities in security findings and scan results?

SOQL Injection and API Endpoints

FAQ-001648 ✓ Has Recommendations - How do I address SOQL injection findings and verify API endpoint classification in Salesforce security reviews?

Security Documentation and Reporting

FAQ-001649 ✓ Has Recommendations - How should I handle security documentation and reporting for Salesforce domains and authentication URLs flagged in security reviews?

Security Testing and Validation

FAQ-001650 ✓ Has Recommendations - How should I address potential platform vulnerabilities discovered during security testing and determine if findings are genuine issues or false posit...

Specific Security Concerns

FAQ-001651 ✓ Has Recommendations - What are the security implications of using sessionId and how should I handle vulnerability findings in Salesforce-provided components?

Standard Salesforce Components and Profiles

FAQ-001652 ✓ Has Recommendations - How should I handle security findings related to standard Salesforce profiles, objects, and components that are not part of my package?

Third-Party Libraries and Dependencies

FAQ-001653 ✓ Has Recommendations - How should I address security vulnerabilities found in third-party libraries and dependencies, including those that may be part of the Salesforce plat...

Uncategorized

FAQ-001654 ✓ Has Recommendations - How should I address security findings that reference standard Salesforce components, JavaScript libraries, or core platform functionality?

XSS and Cross-Site Scripting Issues

FAQ-001655 ✓ Has Recommendations - How should I address XSS vulnerabilities that appear to be related to Salesforce platform functionality rather than my custom code?

Package and Dependency Security

FAQ-001665 ✓ Has Recommendations - How should threat modeling be conducted for managed packages?

Application Architecture and Design Security

FAQ-001666 ✓ Has Recommendations - What are the key architectural considerations and design patterns for building secure managed packages that will pass Salesforce Security Review?

Documentation and Compliance

FAQ-001670 ✓ Has Recommendations - What documentation is required to demonstrate proper security implementation and avoid repeated security review rejections?

Platform-Specific Security Considerations

FAQ-001673 ✓ Has Recommendations - What are the key security implementation requirements and undocumented platform behaviors that developers should be aware of when building managed pac...

Security Review Preparation and Process

FAQ-001674 ✓ Has Recommendations - How can I prepare for and successfully pass the AppExchange security review, including addressing common failures and ensuring all requirements are me...

Vulnerability Assessment and Remediation

FAQ-001675 ✓ Has Recommendations - What are the most common security vulnerabilities found during security reviews and how should they be remediated?

General Security Best Practices

FAQ-001676 ✓ Has Recommendations - How can I ensure my declarative automation adheres to security best practices?

Managed Package Security

FAQ-001677 ✓ Has Recommendations - What security considerations apply to Flow and other declarative components in managed packages?

Pre-Submission Security Requirements

FAQ-001679 ✓ Has Recommendations - What are the mandatory security checks and configurations, such as permission sets, required before submitting for review?

FAQ Enhancement Tool (Prototype)

Filtered FAQ List

AI Application Development and Packaging

Third-Party AI Libraries and Tools

Cookie Security

Machine-to-Machine API Security

Security Review and Compliance

Uncategorized

IP Restrictions and Allowlisting

Security Reviewer Access Provisioning

Third-Party API Security Requirements

Third-Party Provider Concerns and Communication

Automated Configuration and Remote Site Management

Dynamic Code Generation and Deployment

Elevated Permissions and Integration Patterns

Metadata API Security and Permissions

Security Review and Compliance

Tooling API Security and Usage

User Access Control and Authorization

External API Integration Issues

Application Classification

Security Scan Requirements

Access Control Identification and Remediation

AppExchange Security Compliance

Authorization Design Patterns

Managed Package Access Control

Missing Access Control Vulnerabilities

Object-Level Access Controls

Alternatives to Global Access

Balancing Security and Functionality

Cross-Namespace and Event Handling

Uncategorized

General Integration Security Practices

Client-Side Code Vulnerability Scanning

CRUD and FLS Enforcement

Managed Package Considerations

Performance and Best Practices

Sharing Context and Permissions

Test Context and Permission Handling

WITH SECURITY_ENFORCED Implementation

Data Exposure and Shadow DOM

Custom Settings and System Objects Exceptions

Generic sObject and Dynamic SOQL Challenges

Intentional System Context Bypass Scenarios

Non-Admin User Access Requirements

CSRF Token Implementation and Validation

DML Operations on Component Load

General CSRF Prevention and Best Practices

Lightning Components CSRF Issues

Managed Package CSRF Considerations

Platform CSRF Protection

Security Review and Documentation

Specific CSRF Resolution Scenarios

Testing and Verification

Uncategorized

Visualforce CSRF Protection

CSS Exception and Justification Processes

Clickjacking Vulnerabilities and CSS Positioning

Dynamic CSS Styling Security

General CSS Security Best Practices

Improper CSS Loading Vulnerabilities

Inline CSS Security Issues

Uncategorized

Prevention in Data Export Features

CTI Security Review Requirements

S3 Access Control and Authorization

Code Quality vs Security Review Requirements

Code Structure and Best Practices

Customer Impact and Breaking Changes

Generated and Third-Party Code Responsibility

Specific Security Recommendations and Requirements

Static Analysis Tool Issues and Fixes

Uncategorized

Unused and Obsolete Code Management

Code Cleanup Standards

Complete Code Removal

Scan Report Discrepancies

Sensitive Data Removal

Verification of Fixes

AppExchange Security Review Failures