ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Secure Your Connected Apps and External Client Apps
Secure Your Flow Connectors
Protect Credentials and Sensitive Data
Don't Run Untrusted Code or Make Untrusted Calls
Validate Input from Flow Builder
Filter Response Data
Handle Errors Without Leaking Information
Use Strong Cryptography
Bound Resource Use
Handle Specialized Data Formats Carefully
Other Considerations
Common Reasons for Returned Submissions
Where to Get Help
Pass the AppExchange Security Review
Manage Your AppExchange Listings
AgentExchange Go-To-Market App Guide
Sell on AgentExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Protect Credentials and Sensitive Data

Your connector handles sensitive data, including credentials, PII, and secrets. Apply these guidelines to keep that data out of source control, logs, and response payloads.

Your connector handles sensitive data, including:

  • Credentials: API keys, tokens, and passwords
  • PII (personally identifiable information): Personal information such as names, emails, and addresses
  • Secrets: Any value that must remain confidential

This guide uses "credentials" for authentication data and "sensitive data" for all confidential information.

Don't Hardcode Secrets

Hardcoded API keys, tokens, and passwords ship to every subscriber org and persist in source control.

Do: Read credentials from environment variables that your runtime injects, not from hardcoded values in your script.

Don't: Inline credential values as DataWeave variables.

Example

Vulnerable

1var apiKey = "sk_live_123456"
2---
3{ key: apiKey }

Secure

1import * from dw::System
2var apiKey = envVar("API_KEY")
3---
4{ hasKey: apiKey != null }

Don't Log Payloads

DataWeave log() output appears in customer debug logs. Full payloads leak tokens, personally identifiable information (PII), and credentials into every customer's logging backend.

Do: Log only specific scalar fields that you've confirmed are safe to expose.

Don't: Pass payload or other composite values into log().

Example

Vulnerable

1log("incoming-payload", payload)

Secure

1log("user-event", { userId: payload.userId, action: payload.action })

Don't Expose Environment Variables

The envVar() and envVars() functions return system properties that often hold secrets. When you echo them into a response shape, those secrets leak to Flow Builder and downstream consumers.

Do: Use envVar("WHITELISTED_KEY") for narrowly scoped lookups when justified.

Don't: Use envVars() or echo system properties into output.

Example

Vulnerable

1import * from dw::System
2---
3{ env: envVars() }

Secure

1import * from dw::System
2---
3{ serviceMode: envVar("SERVICE_MODE") }