FAQ-001121 - Lightning Web Components and JavaScript Security / Component Design and Security Compliance

To design LWC components that comply with security requirements while maintaining necessary UI functionality, follow these best practices: 1. **Use Static Resources**: Include all scripts and styles as static resources in your package. Avoid dynamically loading JavaScript or CSS directly into components. 2. **Enable LockerService**: Use API version 40 or later to ensure LockerService is enabled, providing namespace isolation and preventing cross-namespace security issues. 3. **Sanitize User Data**: Sanitize any user-controlled data before rendering it in the component. Use secure filters or libraries to prevent vulnerabilities like cross-site scripting (XSS). Avoid binding user-controlled data to unsafe attributes like `iframe src` or `a href` without proper sanitization. 4. **CSS Positioning**: Avoid using `position: absolute` or `position: fixed` in component CSS unless the component is not exposed outside the namespace or is limited to specific pages. This prevents interference with other UI elements. 5. **Secure Attributes**: Be cautious with attributes in the expression language. Sanitize values in the controller or use private variables to bind sanitized data. 6. **Community Declaration**: Explicitly declare components as available for communities if they are intended for use outside Salesforce internal pages. 7. **Avoid Inline JavaScript**: Do not use inline JavaScript in web links or other components, as it can bypass namespace isolation and create security risks. 8. **Prevent Clickjacking**: Avoid styles like `position: absolute` that could lead to clickjacking vulnerabilities. Ensure components do not obscure other UI elements. By adhering to these guidelines, you can ensure your LWC components are secure and functional.