Developing Secure Code

Aura components have a client-side security architecture that helps protect your custom components by automatically blocking or modifying any insecure behavior of APIs. This layer prevents components from accessing data that belongs to platform code or components from other namespaces without explicit permission.

To learn how to build components that work with Lightning Web Security (LWS) or the legacy architecture Lightning Locker, see the Security for Lightning Components guide.

The framework also uses JavaScript strict mode to turn on native security features in the browser, and Content Security Policy (CSP) rules to control the source of content that can be loaded on a page.