ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Secure Your Connected Apps and External Client Apps
Secure Your Flow Connectors
Protect Credentials and Sensitive Data
Don't Run Untrusted Code or Make Untrusted Calls
Validate Input from Flow Builder
Filter Response Data
Handle Errors Without Leaking Information
Use Strong Cryptography
Bound Resource Use
Handle Specialized Data Formats Carefully
Other Considerations
Common Reasons for Returned Submissions
Where to Get Help
Pass the AppExchange Security Review
Manage Your AppExchange Listings
AgentExchange Go-To-Market App Guide
Sell on AgentExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Handle Specialized Data Formats Carefully

If your connector handles these specialized formats, apply these security practices.

Parse XML with Safe Defaults

If your connector parses XML responses, keep the parser defaults unchanged. When you enable externalEntities or supportDtd, you expose the connector to XML External Entity (XXE) attacks and entity-expansion denial-of-service (the "Billion Laughs" attack).

Do: Call read(payload.xml, "application/xml") with no parser options.

Don't: Set externalEntities: true or supportDtd: true to work around a parsing issue.

Example

Vulnerable

1read(payload.xml, "application/xml", { externalEntities: true, supportDtd: true })

Secure

1read(payload.xml, "application/xml", { externalEntities: false, supportDtd: false })

Sanitize CSV Output

If your connector returns CSV, escape leading characters that spreadsheet apps interpret as formulas. A cell that starts with =, +, -, @, a tab, or a carriage return can run arbitrary commands when someone opens the CSV in Excel or Google Sheets.

Do: Prefix risky leading characters with a single quote before you write the CSV.

Don't: Write user-controlled strings into CSV cells without escaping.

Example

Vulnerable

1payload.rows

Secure

1payload.rows map ((r) -> r update {
2  case v at .comment ->
3    if (((v default "") as String) matches /^[=+\-@\x09\x0d].*/)
4      ("'" ++ (v as String))
5    else (v as String)
6})

Validate Multipart File Uploads

If your connector accepts file uploads, multipart parts expose filenames, headers, and content verbatim, with no built-in validation of size, type, or path.

Do: Validate the file type and size, and sanitize filenames before you process or forward the file.

Don't: Pass multipart content to downstream components unchecked.

Example

Vulnerable

1payload.parts mapObject ((v, k) -> { (k): v })

Secure

1payload.parts filterObject ((v, k) ->
2  ((v.headers."Content-Type" default "") in ["image/png", "image/jpeg"])
3  and (sizeOf(v.content default ("" as Binary)) < 5_000_000)
4)

Cap Excel Upload Size

If your connector reads Excel files, oversized or highly compressed .xlsx archives can expand to gigabytes (zip bombs) and exhaust memory or storage. Size checks alone don't stop all zip-bomb variants.

Do: Cap the binary size of an Excel upload before you call read(..., "application/xlsx").

Don't: Pass application/xlsx input through without a size check.

Example

Vulnerable

1read(payload.xlsxBinary, "application/xlsx")

Secure

1if (sizeOf(payload.xlsxBinary) <= 5_000_000)
2  read(payload.xlsxBinary, "application/xlsx")
3else
4  fail("file-too-large")