FAQ-000097 - Access Control and Global Components / Balancing Security and Functionality

To balance security requirements with component accessibility needs, follow these comprehensive best practices: **For Lightning Web Components Exposed to Application Scope:** A Lightning Web Component can be exposed to the application scope when explicitly declared as available for use in shared contexts, such as communities or other applications. Security best practices include: 1. **Enforce Contracts**: Ensure the component is reusable, pluggable, and secure in any context allowed by the framework. 2. **Sanitize User Data**: Avoid unsafe attributes or bindings, and sanitize all user-controlled data to prevent vulnerabilities like cross-site scripting (XSS). 3. **Use Static Resources**: Load scripts and resources from static resources rather than third-party endpoints to maintain control and ensure versioning. 4. **Follow CSP Guidelines**: Adhere to strict Content Security Policy (CSP) guidelines and avoid unsafe inline scripts or styles. 5. **Enable LockerService**: Run the component on API version 40.0 or later to ensure LockerService is enabled for critical security isolation. **For Justifying Global Access Settings:** To justify global access settings for Lightning components: 1. **Implement CRUD/FLS Checks**: Use USER_MODE for SOQL queries and AccessLevel.USER_MODE for Database methods to automatically enforce Create, Read, Update, Delete, and Field-Level Security checks. 2. **Enforce Sharing Rules**: Verify that the component adheres to proper sharing rules and security measures. 3. **Review Exposed Components**: For components marked as `isexposed-true`, confirm that no vulnerabilities are introduced. 4. **Secure Coding Practices**: Highlight that the component avoids unauthorized data access or leaks and is designed to function securely in any permissible context. **General Security and Accessibility Balance:** 1. **Enforce CRUD/FLS Checks**: Use USER_MODE for SOQL queries and AccessLevel.USER_MODE for Database methods. You can also implement Create, Read, Update, Delete (CRUD) and Field-Level Security (FLS) checks using `getDescribe().isAccessible()` to validate user permissions. 2. **Use USER_MODE for Queries**: Execute SOQL queries in USER_MODE to respect user permissions while accessing necessary data. 3. **Secure Sensitive Data**: Store sensitive information like OAuth secrets or API keys in protected custom settings or metadata, avoiding hardcoding in the codebase. 4. **Prevent SOQL Injection**: Construct SOQL queries using validated fields and object names to mitigate injection risks. 5. **Dynamic Component Accessibility**: Use template directives for conditional rendering based on the component's state, ensuring compliance with security guidelines. 6. **Use HTTPS for External Communication**: Ensure all callback URLs and external communications use HTTPS for secure data transmission. 7. **Thorough Reviews and Testing**: Conduct code reviews and use tools like Checkmarx or CodeAnalyzer to identify vulnerabilities. Address all issues before submission. **Best Practices for Managed Package Access Controls:** 1. **Enforce CRUD/FLS Permissions**: Use USER_MODE for SOQL queries and AccessLevel.USER_MODE for Database methods. You can also check Create, Read, Update, Delete (CRUD) and Field-Level Security (FLS) permissions before performing DML operations using `Schema.sObjectType` to verify field accessibility. 2. **Use User Mode**: Execute SOQL queries and DML operations in User Mode to respect the user's access permissions. 3. **Avoid Elevated Privileges in Post-Install Scripts**: Do not use global classes or methods in post-install scripts, as they run with elevated privileges and can pose security risks. 4. **Restrict Access to Sensitive Data**: Limit access to sensitive data, such as custom settings or metadata, and use protected custom settings or metadata wherever possible. 5. **Audit Access Control Changes**: Regularly review and audit changes to sharing rules, permission sets, or profiles to ensure they align with intended access control policies. 6. **Mitigate Sharing Violations**: Use "with sharing" or "without sharing" keywords appropriately in Apex classes to enforce sharing rules based on the context. 7. **Secure Guest User Access**: Restrict guest user access to records and follow the principle of least privilege. 8. **Document False Positives**: If any security review findings are false positives, document them thoroughly and submit them with the security review. 9. **Use Secure Authentication Practices**: Avoid handling user credentials directly; instead, use OAuth credentials for authentication. 10. **Prevent Prompt Injection**: When constructing prompts with user-controlled input, employ strategies to mitigate prompt-injection vulnerabilities. By following these practices, you can maintain robust security while ensuring components remain accessible and functional, ensuring compliance with security standards in managed packages.

The original FAQ provides comprehensive security guidance but needs refinement to prioritize modern security features over legacy approaches. The main changes are: 1) Updated CRUD/FLS enforcement sections to lead with USER_MODE approaches (USER_MODE for SOQL and AccessLevel.USER_MODE for Database methods) while retaining the existing manual checking approaches as alternatives. This aligns with the security approaches guidelines to prioritize modern features. 2) Clarified that both modern and legacy approaches remain valid and secure. 3) Maintained all existing content, structure, and detail level as instructed. Security rules selected: ApexCRUDViolation relates to the extensive CRUD/FLS checking guidance throughout the FAQ; ApexSharingViolations relates to the sharing rules enforcement and 'with sharing'/'without sharing' keyword usage discussed; AvoidLmcIsExposedTrue relates to the specific guidance about components marked as 'isexposed-true'; AvoidGlobalInstallUninstallHandlers relates to the advice about avoiding global classes in post-install scripts; ApexSOQLInjection relates to the SOQL injection prevention guidance; ApexXSSFromURLParam and ApexXSSFromEscapeFalse relate to the XSS prevention and data sanitization guidance; ApexInsecureEndpoint relates to the HTTPS communication requirements; AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls relate to the guidance about storing sensitive data in protected settings rather than hardcoding; AvoidUnescapedHtmlInAura relates to the unsafe attributes and XSS prevention guidance for components.