Apex Developer Guide

Apex Developer Guide
Getting Started with Apex
Writing Apex
Data Types and Variables
Control Flow Statements
Classes, Objects, and Interfaces
Working with Data in Apex
Working with sObjects
Data Manipulation Language
SOQL and SOSL Queries
SOQL For Loops
sObject Collections
Dynamic Apex
Apex Security and Sharing
Enforcing Sharing Rules
Enforcing Object and Field Permissions
Class Security
Understanding Apex Managed Sharing
Security Tips for Apex and Visualforce Development
Cross Site Scripting (XSS)
Unescaped Output and Formulas in Visualforce Pages
Cross-Site Request Forgery (CSRF)
SOQL Injection
Data Access Control
Custom Settings
Running Apex
Debugging, Testing, and Deploying Apex
Apex Language Reference
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Security Tips for Apex and Visualforce Development

Understanding Security

The powerful combination of Apex and Visualforce pages allow Lightning Platform developers to provide custom functionality and business logic to Salesforce or create a completely new stand-alone product running inside the Lightning platform. However, as with any programming language, developers must be cognizant of potential security-related pitfalls.

Salesforce has incorporated several security defenses into the Lightning platform itself. However, careless developers can still bypass the built-in defenses in many cases and expose their applications and customers to security risks. Many of the coding mistakes a developer can make on the Lightning platform are similar to general Web application security vulnerabilities, while others are unique to Apex.

To certify an application for AppExchange, it’s important that developers learn and understand the security flaws described here. For additional information, see the Lightning Platform Security Resources page on Salesforce Developers at https://developer.salesforce.com/page/Security.