Get Started with Security for Lightning Components

Lightning components, including both Lightning web components (LWC) and Aura components, have a client-side security architectural layer that protects your custom components. This layer prevents components from accessing data that belongs to platform code or components from other namespaces without explicit permission. It automatically blocks or modifies any insecure behavior of APIs.

You can enable either Lightning Web Security (LWS) or Lightning Locker as the security architecture for your org.

Lightning Web Security (LWS)

Lightning Web Security (LWS) is a newer security architecture that Salesforce first introduced in Spring ’22. LWS is based on the latest TC39 web standards and prevents unsafe code behavior by running components in virtual JavaScript sandboxes. LWS has fewer restrictions and more functionality than Lightning Locker. New orgs have Lightning Web Security (LWS) enabled by default.

Lightning Locker

Lightning Locker is the predecessor to LWS. Instead of using virtual JavaScript sandboxes, Lightning Locker wraps JavaScript objects in more secure versions to prevent behavior that isn't secure.

To evaluate whether your org is ready to move from Lightning Locker to LWS, check out these resources:

Regardless of the security architecture, Lightning components use JavaScript strict mode to turn on native security features in the browser and Content Security Policy (CSP) rules to control the source of content that can be loaded on a page.