Secure Coding Guidelines

The following documentation walks you through the most common security issues Salesforce has identified while auditing applications built on or integrated with Force.com. This documentation takes into account that many of our developers write integration pieces with the Force.com platform and includes examples from other web platforms such as Java, ASP.NET, PHP and Ruby on Rails. The Force.com platform provides full or partial protection against many of these issues. It is noted when this is the case.

Consider this to be an easy to read reference and not a thorough documentation of all web application security flaws. More details on a broader spectrum of web application security problems can be found on the OWASP (Open Web Application Security Project) site.

After you feel comfortable with the topics here, please utilize the tools we are making available which will help in identifying many of these types of issues. Check out this page for the latest updates to the Security documentation on DeveloperForce.


1. Cross-Site Scripting
2. S(O)QL Injection
3. Cross Site Request Forgery
4. Secure Communications and Cookies
5. Storing Secrets
6. Arbitrary Redirects
7. Access Control
8. Lightning Security Best Practices
9. Marketing Cloud App Security
10. Secure PostMessage
11. Secure WebSockets

Please also look at our Dreamforce 2015 videos and slide decks covering secure coding guidelines for sharing, CRUD/FLS, mobile apps, external app integration, REST/SOAP API, and secret storage.

Security webinar series 2016

You can also watch the recordings from the 2016 Security Webinar series here: