Secure Coding Guide

Secure Coding Guidelines
Security Considerations for Flow Design
Security Considerations for Session IDs
Secure Coding Cross Site Scripting
Secure Coding SQL Injection
Secure Coding Cross Site Request Forgery
Protect Your Application from CSRF Vulnerabilities
Secure Coding Secure Communications
Storing Sensitive Data
Arbitrary Redirect
Authorization and Access Control
Lightning Security
Marketing Cloud Engagement API Integration Security
Secure Coding PostMessage
Secure Coding WebSockets
Platform Security FAQs
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Secure Coding Cross Site Request Forgery

Learn how to protect your AppExchange solutions from Cross-Site Request Forgery (CSRF), a security threat where a malicious website manipulates a user's browser to perform unauthorized actions without their knowledge. You can implement Salesforce-specific defense strategies across Aura, Lightning Web Components (LWC), Visualforce, and Flows.

Understand Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) is a security vulnerability where an attacker tricks a logged-in user into performing unintended actions in a web application. In Salesforce, an attacker can abuse an authenticated user's session to modify records, change settings, or trigger business logic without the user's consent.

Here are a few threats that CSRF poses.

  • Any exposed Visualforce pages, Lightning components, or custom Apex endpoints in your package can be misused if unprotected.
  • CSRF attacks can cause unauthorized changes in Salesforce, harming data integrity and user trust.

For additional guidance and best practices, refer: