ISVforce Guide
jSummer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
Use Managed Packages to Develop Your AppExchange Solution
Security Policy Requirements
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Connected Apps and External Client Apps
Protect Credentials and Sensitive Data
Don't Run Untrusted Code or Make Untrusted Calls
Validate Input from Flow Builder
Filter Response Data
Handle Errors Without Leaking Information
Use Strong Cryptography
Bound Resource Use
Handle Specialized Data Formats Carefully
Other Considerations
Common Reasons for Returned Submissions
Where to Get Help
OEM User License Guide
Secure Your Flow Connectors
Custom Flow connectors run in subscriber orgs and must pass the AgentExchange Security
Review. This guide helps you write secure DataWeave code that protects customer data and passes
review on the first submission. Apply these guidelines to the DataWeave code in your connector's
JAR. Before you submit the package for Security Review, run the Salesforce Code Analyzer (SFCA)
Custom rules against it. The Custom rules detect security-related issues
automatically.
-
Protect Credentials and Sensitive Data
Your connector handles sensitive data, including credentials, PII, and secrets. Apply these guidelines to keep that data out of source control, logs, and response payloads. -
Don't Run Untrusted Code or Make Untrusted Calls
Several DataWeave functions execute code or fetch remote content. When their parameters come from user input, an attacker can run arbitrary code in your connector or reach internal services. -
Validate Input from Flow Builder
DataWeave processes any input structure that your connector receives from Flow. Validate every input before you process it to catch malformed data and avoid security issues. -
Filter Response Data
Return only the data that Flow needs. When you return more data than necessary, you expose internal fields and sensitive data to every Flow that uses your connector. -
Handle Errors Without Leaking Information
Errors from your connector reach Flow Builder users and downstream consumers. Sanitize error output so it doesn't expose implementation details or raw upstream responses. -
Use Strong Cryptography
DataWeave includes weak hash functions and encoding helpers that can look like security controls. Choose appropriate algorithms when your connector hashes or encrypts data, and compare secrets carefully. -
Bound Resource Use
Operations that scale with input size can exhaust CPU, memory, or stack. Bound every operation that runs over user-controlled input. -
Handle Specialized Data Formats Carefully
If your connector handles these specialized formats, apply these security practices. -
Other Considerations
These topics cover additional guidance from the DataWeave Secure Coding Guidelines. They apply to related runtimes outside the Flow connector context, or are awareness items worth noting for future releases. -
Common Reasons for Returned Submissions
Security Review commonly returns Flow connector submissions for these reasons. -
Where to Get Help
Resources for connector builder authoring questions, Security Review questions, and general partner questions.