Lightning Aura Components Developer Guide
jSummer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
JavaScript Strict Mode Enforcement
Secure Wrappers
eval() Function is Limited by Lightning Locker
MIME Types Permitted
Access to Supported JavaScript API Framework Methods Only
What Does Lightning Locker Affect?
Select the Locker API Version for an Org
Disable Lightning Locker for a Component
Don’t Mix Component API Versions
Lightning Locker Disabled for Unsupported Browsers
Lightning Web Security
Testing Components
Newer Version Available
Lightning Locker
Lightning Locker is a security architecture for Lightning components. Lightning Locker enhances security by isolating Lightning components that belong to one
namespace from components in a different namespace. Lightning Locker also promotes best
practices that improve the supportability of your code by only allowing access to supported
APIs and eliminating access to non-published framework internals.
-
JavaScript Strict Mode Enforcement
Lightning Locker implicitly enables JavaScript strict mode. You don’t need to specify "use strict" in your code. JavaScript strict mode makes code more secure, robust and supportable. -
DOM Access Containment
A component can only traverse the DOM and access elements created by a component in the same namespace. This behavior prevents the anti-pattern of reaching into DOM elements owned by components in another namespace. -
Secure Wrappers
For security, Lightning Locker restricts the use of global objects by hiding an object or by wrapping it in a secure version of the object. For example, the secure version of window is SecureWindow. Locker intercepts calls to window and uses SecureWindow instead. Some methods and properties have different behavior or aren’t available on the secure objects. -
eval() Function is Limited by Lightning Locker
In Lightning Locker, use of the eval() function is supported to enable use of third-party libraries that evaluate code dynamically. However, it is limited to work only in the global scope of the namespace. The eval() function can’t access the local variables within the scope in which it’s called. -
MIME Types Permitted
Lightning Locker analyzes the MIME types used in Blob objects. Locker permits some MIME types, sanitizes some MIME types, and blocks the rest. -
Access to Supported JavaScript API Framework Methods Only
You can access published, supported JavaScript API framework methods only. Previously, unsupported methods were accessible, which exposed your code to the risk of breaking when unsupported methods were changed or removed. -
What Does Lightning Locker Affect?
Find out what’s affected and what’s not affected by Lightning Locker. -
Lightning Locker Tools
Lightning Locker tools help you develop more secure code that is compatible and runs efficiently with Lightning Locker. -
Select the Locker API Version for an Org
Select the API version used by Lightning Locker across your org. The default is the current API version, which includes the latest Locker security enhancements. Select an earlier API version when custom components only comply with Locker in an older version. When components become compliant with the current security enhancements, you can change the setting to the current API version. -
Disable Lightning Locker for a Component
Disable Lightning Locker for an Aura component by setting the Salesforce API version to 39.0 or lower for the component. If a component is set to at least API version 40.0, Lightning Locker is enabled. -
Don’t Mix Component API Versions
For consistency and ease of debugging, we recommend that you set the same Salesforce API version for all custom components in your app, containment hierarchy (component within component), or extension hierarchy (component extending component). -
Lightning Locker Disabled for Unsupported Browsers
Lightning Locker relies on some JavaScript features in the browser: support for strict mode, the Map object, and the Proxy object. If a browser doesn’t meet the requirements, Lightning Locker can’t enforce all its security features and is disabled.