Secure Coding Guide

Secure Coding Guidelines
Security Considerations for Flow Design
Secure Coding Cross Site Scripting
Secure Coding SQL Injection
Secure Coding Cross Site Request Forgery
Secure Coding Secure Communications
Storing Sensitive Data
Arbitrary Redirect
Authorization and Access Control
Test Your Application for Vulnerabilities
Protect Your Application from CRUD/FLS Vulnerabilities
Protect Your Application from Sharing Violations
Lightning Security
Marketing Cloud Engagement API Integration Security
Secure Coding PostMessage
Secure Coding WebSockets
Platform Security FAQs
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Authorization and Access Control

Authorization and access control ensures that your users can only access resources they’re permitted to use in a web application. Common vulnerabilities include directory traversal, insecure direct object reference, bypassing authorization mechanisms, and privilege escalation.

Understand User Roles and Access Control

User roles help in managing access rights and other privileges for your web applications.

  • Unauthenticated users can access only the login page.
  • Regular users can use most parts of the application but can’t access areas such as maintenance or setup pages.
  • Administrators have full access, including to the restricted areas of the application.

Sometimes users can gain unauthorized access, called an authorization bypass. A specific type of authorization bypass, called privilege escalation, happens when a user with limited access gains permissions for a higher-level role, like an administrator. This authorization bypass can result in access to sensitive or restricted features.

The way these vulnerabilities appear in a web application can be application-specific, but common authorization vulnerabilities exist and can be tested for Authorization and access control and are cited in the CWE/SANS Top 25 Most Dangerous Programming Errors report.