Lightning Web Security

Lightning Web Security (LWS) is a security architecture that's designed to make it easier for your Lightning components to use secure coding practices. LWS is enabled by default for all orgs created in Winter ’23 and later. As of Summer ’23, LWS for Lightning web components and Aura components is generally available for all orgs. Previously, Lightning Locker was the default security architecture for Lightning components.

For an introductory overview of LWS, check out the Lightning Web Security Basics module on Trailhead.

Lightning Web Security is modeled after the latest TC39 standards to provide innovative usable security for any UI component. This approach enables teams to safely use code from third parties without fear of threats such as cross-site scripting (XSS) attacks. The result is a more secure way to control the execution of code within the UI layer without forcing developers to jump through hoops or abandon desired functionality.

The good news is that LWS doesn’t require refactoring your Lightning component code because your code already abides by the security practices that Lightning Locker also requires. Most existing Lightning components seamlessly work when you enable LWS.

Even better news is you have the option to refactor your code so that your components can take advantage of LWS-only features. Your components run in an isolated JavaScript environment dedicated to your namespace, but they can import components and modules from other namespaces as if they’re all running in the same environment. The namespace isolation is transparent to the components because the architecture takes care of it seamlessly for you. As a result, some of the restrictions that your components observe when running in Lightning Locker aren’t necessary in Lightning Web Security.

To get started with LWS, review these topics.

See Also