jiten-singh-shahi/sf-security

Salesforce Security

Salesforce has a layered security model. Each layer must be respected in Apex code, SOQL queries, and UI components.

@../_reference/SECURITY_PATTERNS.md @../_reference/SHARING_MODEL.md

When to Use

• Preparing for a Salesforce security review or ISV managed package submission
• Apex classes missing with sharing or using unexplained without sharing
• SOQL queries using dynamic strings without bind variables
• CRUD/FLS checks absent from controller or service classes
• Running a security health check before a major deployment
• A penetration test or AppExchange security review flags vulnerabilities

CRUD Enforcement in Apex

WITH USER_MODE / AccessLevel.USER_MODE (see @../_reference/API_VERSIONS.md for minimum version)

The modern standard for CRUD + FLS enforcement. This replaces explicit CRUD checks and Security.stripInaccessible for most use cases.

// SOQL enforces both object CRUD and FLS for the running user
List<Account> accounts = [SELECT Id, Name FROM Account WITH USER_MODE];

// For DML, use Database methods with AccessLevel
Database.insert(records, false, AccessLevel.USER_MODE);
Database.update(records, false, AccessLevel.USER_MODE);
Database.delete(records, false, AccessLevel.USER_MODE);

When to Check CRUD

| Context | Check CRUD? | |---|---| | Apex called from LWC/Aura/VF page | Yes | | Service layer called by user-facing code | Yes | | Internal utility called by system batch | Usually no — runs in system context | | Apex REST/SOAP API endpoint | Yes | | Scheduled/Batch internal processing | Usually no — document justification |

---

Field-Level Security (FLS)

Security.stripInaccessible — Bulk FLS Enforcement

stripInaccessible() silently removes fields the user cannot access. The returned records look normal but stripped fields are null. Check getRemovedFields() before passing records downstream.

public List<Account> getAccountsForDisplay() {
    List<Account> accounts = [
        SELECT Id, Name, AnnualRevenue, SSN__c, Internal_Notes__c
        FROM Account WHERE Type = 'Customer'
    ];

    SObjectAccessDecision decision = Security.stripInaccessible(
        AccessType.READABLE, accounts
    );

    Map<String, Set<String>> removed = decision.getRemovedFields();
    if (removed.containsKey('Account')) {
        System.debug(LoggingLevel.WARN, 'Stripped fields: ' + removed.get('Account'));
    }

    return decision.getRecords();
}

WITH USER_MODE for FLS in SOQL

WITH USER_MODE throws a QueryException if the running user lacks field-level access to any field in the SELECT or WHERE clause. Use Security.stripInaccessible() when you need to silently remove inaccessible fields instead of throwing.

// Defensive approach: check accessibility first
List<String> selectFields = new List<String>{ 'Id', 'Name' };
if (Schema.SObjectType.Account.Fields.AnnualRevenue.getDescribe().isAccessible()) {
    selectFields.add('AnnualRevenue');
}
// ... build and execute dynamic SOQL with validated fields

---

Sharing Keywords

with sharing (Default)

public with sharing class AccountsSelector {
    public List<Account> selectAll() {
        return [SELECT Id, Name FROM Account]; // Only returns records user can see
    }
}

without sharing (Use Sparingly)

/**
 * Batch processor for automated data enrichment.
 * Uses without sharing because:
 * 1. Runs as a system user (scheduled job)
 * 2. Needs to process ALL accounts regardless of ownership
 * 3. Sharing is irrelevant for automated system processing
 */
public without sharing class AccountEnrichmentBatch
        implements Database.Batchable<SObject> {
    // ...
}

inherited sharing

// Adopts the sharing mode of the calling class
public inherited sharing class QueryHelper {
    public List<Account> getAccountsForCaller() {
        return [SELECT Id, Name FROM Account];
        // If called by "with sharing" class: enforces sharing
        // If called by "without sharing" class: bypasses sharing
        // If top-level: defaults to "with sharing"
    }
}

Decision Tree

User-facing (LWC, VF, Aura, REST API)?  → with sharing
Utility that respects caller's context?  → inherited sharing
Scheduled/batch as system user?          → without sharing (documented)
Permission elevation utility?            → without sharing (narrow scope, documented)
Unsure?                                  → with sharing

Sharing context does NOT propagate to called classes. A with sharing class calling a without sharing class runs the called method without sharing.

---

SOQL Injection Prevention

Static SOQL with Bind Variables (Preferred)

public List<Account> searchAccounts(String nameFilter) {
    return [SELECT Id, Name FROM Account WHERE Name = :nameFilter WITH USER_MODE];
}

Database.queryWithBinds (For Dynamic SOQL)

public List<Account> searchAccounts(String nameFilter) {
    Map<String, Object> binds = new Map<String, Object>{
        'nameFilter' => nameFilter
    };
    return Database.queryWithBinds(
        'SELECT Id, Name FROM Account WHERE Name = :nameFilter WITH USER_MODE',
        binds, AccessLevel.USER_MODE
    );
}

Safe Dynamic SOQL with Whitelist Validation

public class SafeDynamicQueryBuilder {
    private static final Set<String> ALLOWED_SORT_FIELDS = new Set<String>{
        'Name', 'CreatedDate', 'AnnualRevenue', 'Type'
    };
    private static final Set<String> ALLOWED_DIRECTIONS = new Set<String>{
        'ASC', 'DESC'
    };

    public List<Account> getAccountsSorted(String sortField, String sortDirection) {
        if (!ALLOWED_SORT_FIELDS.contains(sortField)) {
            sortField = 'Name';
        }
        if (!ALLOWED_DIRECTIONS.contains(sortDirection?.toUpperCase())) {
            sortDirection = 'ASC';
        }

        String query = 'SELECT Id, Name, AnnualRevenue, Type '
                     + 'FROM Account WITH USER_MODE '
                     + 'ORDER BY ' + sortField + ' ' + sortDirection
                     + ' LIMIT 200';
        return Database.query(query);
    }
}

---

XSS Prevention

Visualforce — Use Context-Appropriate Encoding

<!-- HTML body → HTMLENCODE -->
<div>{!HTMLENCODE(accountDescription)}</div>

<!-- JS string → JSENCODE -->
<script>var accountName = '{!JSENCODE(account.Name)}';</script>

<!-- JS in HTML attribute → JSINHTMLENCODE -->
<div onclick="handleClick('{!JSINHTMLENCODE(account.Name)}')">Click</div>

<!-- URL parameter → URLENCODE -->
<a href="/mypage?name={!URLENCODE(account.Name)}">View</a>

<!-- Safe by default -->
<apex:outputField value="{!account.Name}" />
<apex:outputText value="{!account.Description}" escape="true" />

LWC — Safe by Default

LWC templates auto-encode HTML. Avoid innerHTML:

// Safe — LWC encodes the value as text content
this.accountName = '<script>alert(1)</script>'; // Rendered as literal text

// Use textContent, not innerHTML
this.template.querySelector('.description').textContent = userProvidedContent;

// For rich text, use lightning-formatted-rich-text (sanitizes automatically)

---

Named Credentials and External Credentials

Secure Callout Pattern

public class ERPIntegrationService {
    public HttpResponse callERPEndpoint(String path, String method, String body) {
        HttpRequest req = new HttpRequest();
        req.setEndpoint('callout:ERP_System' + path);
        req.setMethod(method);
        req.setHeader('Content-Type', 'application/json');
        if (String.isNotBlank(body)) {
            req.setBody(body);
        }
        return new Http().send(req);
    }
}

What Belongs in Named/External Credentials

• OAuth client secrets, API keys, JWT private keys
• Endpoint URLs (use Named Credentials, not hardcoded strings)
• Per-user vs Named Principal authentication

Custom Metadata for Configuration

// No SOQL limits, deployable config
Map<String, Service_Config__mdt> configs = new Map<String, Service_Config__mdt>();
for (Service_Config__mdt config : Service_Config__mdt.getAll().values()) {
    configs.put(config.DeveloperName, config);
}

---

Enterprise Security Features

Shield Platform Encryption

| Encryption Type | Query Support | Use Case | |---|---|---| | Deterministic | Exact match only in WHERE | SSN lookup, email search | | Probabilistic | No SOQL filtering | Health data, financial records |

Encrypted fields cannot be used in ORDER BY, GROUP BY, or LIKE queries (probabilistic). Code must handle null returns when user lacks decryption permission.

Event Monitoring

• Login Events — detect unauthorized access
• API Events — detect data exfiltration
• Report Export Events — data loss prevention

Transaction Security

Real-time threat detection: block large data exports, enforce MFA for sensitive operations, block restricted locations.

---

Common Security Review Failures

| Failure | Fix | |---|---| | CRUD not checked before DML | Use AccessLevel.USER_MODE | | FLS not checked before field access | Use WITH USER_MODE or stripInaccessible | | Dynamic SOQL with string concatenation | Use bind variables or queryWithBinds() | | without sharing on user-facing class | Switch to with sharing | | Hardcoded credentials | Use Named/External Credentials | | Sensitive data in debug logs | Remove System.debug of PII | | Unrestricted SOQL rows | Add WHERE + LIMIT | | innerHTML with user input | Use textContent or sanitized components |

---

Security Skills Cross-Reference

Security guidance is distributed across multiple skills. Use this index to find the right skill:

| Skill | Focus | Type | |---|---|---| | sf-security (this skill) | CRUD/FLS, sharing, injection, Named Credentials, AppExchange prep | Implementation guide | | sf-security-constraints | Hard never/always rules for security compliance | Constraint (auto-loaded) | | sf-apex-constraints | Apex-specific security: with sharing, bind variables, without sharing justification | Constraint (auto-loaded) | | sf-soql-constraints | SOQL injection prevention, selective queries, bind variables | Constraint (auto-loaded) | | sf-lwc-constraints | LWC XSS prevention, lwc:dom="manual" restrictions, CSP | Constraint (auto-loaded) |

Related

• Agent: sf-review-agent — For interactive, in-depth guidance
• Constraints: sf-security-constraints — Hard rules for security compliance