FAQ-001651 - Salesforce Platform Security Responsibility / Specific Security Concerns

Using `sessionId` in Salesforce has significant security implications: **Security Risks:** - **Session hijacking**: Exposed session IDs can be stolen and used by attackers - **CSRF attacks**: Vulnerable to cross-site request forgery when sessions aren't properly protected - **Token leakage**: Session IDs in logs, URLs, or client-side code create security vulnerabilities **Best Practices:** - Use Named Credentials instead of hardcoded session IDs for external callouts - Never expose session IDs in client-side code (JavaScript, Visualforce pages) - Avoid passing session IDs in URL parameters - For triggers: You're right - triggers run in system context and don't require session IDs **Handling Vulnerability Findings:** When security scanners flag sessionId usage: 1. Review if the sessionId is actually needed for your use case 2. Replace with secure alternatives like Named Credentials 3. If sessionId is necessary, ensure it's used server-side only 4. Document the security justification for any remaining usage For Salesforce-provided components with findings, focus on your code's interaction with those components rather than trying to fix the platform itself.

The original answer had several issues that needed addressing: 1) There was confusing text at the beginning ('below line needs to be removed trigger doesn't require session id') that appeared to be editing notes rather than actual FAQ content - this was removed and integrated properly. 2) The answer was incomplete and cut off mid-sentence. 3) The content needed to be more comprehensive about sessionId security implications while maintaining the existing structure. The improvements clarify the security risks, provide actionable best practices, and give clear guidance on handling vulnerability findings. I selected the security rules because they directly relate to sessionId usage concerns: AvoidApiSessionId flags general sessionId usage, the AvoidUnauthorized* rules detect unauthorized sessionId access in different contexts (Apex, Visualforce, getSessionId calls), and ApexCSRF relates to session-based CSRF vulnerabilities that can occur with improper sessionId handling. The FAQ content discusses sessionId security implications and vulnerability handling, which directly maps to what these rules detect and prevent.