FAQ-001102 - Lightning Message Channel Security / Security Review and Compliance

The review criteria for Lightning Component Bundle exposure settings include: 1. **Secure Coding Guidelines**: Components must follow secure coding practices and adhere to platform limitations. 2. **Contract Enforcement**: Ensure components enforce all contracts and are safe for any framework-allowed usage, such as being placed in a repeat tag or instantiated multiple times. 3. **Global Attribute Protection**: Protect global attributes and ensure components are secure and pluggable for any usage scenario. 4. **Avoid Unsafe Attributes**: Don't use unsafe attributes or improperly expose sensitive methods. 5. **LockerService**: Enable LockerService for components using API version 40.0 or higher to ensure namespace isolation. These practices ensure components are secure and meet the platform's standards.

The FAQ content is largely accurate and comprehensive. I made one minor improvement to enhance clarity and maintain consistent conversational tone by changing 'Do not use' to 'Don't use' in point 4, which aligns with the brand guidelines for using contractions and conversational language. I selected the AvoidAuraWithLockerDisabled security rule because it directly relates to the FAQ content discussing LockerService requirements. The FAQ specifically mentions 'Enable LockerService for components using API version 40.0 or higher to ensure namespace isolation' in point 5, and the AvoidAuraWithLockerDisabled rule (severity 1) is designed to detect when Aura components have LockerService disabled, which would violate the security requirement described in the FAQ. This rule ensures that components maintain proper namespace isolation and security boundaries, which is exactly what the FAQ is teaching developers to implement.