May 3, 2024

Common Vulnerabilities Impacting Security Reviews

Security Review Vulnerabilities are crucial considerations when preparing to launch your Salesforce app on the AppExchange platform. At Salesforce, trust is paramount, reflected in our thorough security reviews. This blog serves as your comprehensive guide to navigating the AppExchange security review process, ensuring your app is well-prepared for success with enhanced security measures.

Common Vulnerabilities

This blog post brings together development practices and a checklist to help you steer clear of common vulnerabilities during the AppExchange Security Review, making the process smoother and more efficient. The Vulnerabilities are listed below: 

1. Apex Class Security Checklist

Checklist Name Description
Guard Against SOQL SOSL Injection Use parameterized queries or bind variables instead of directly concatenating user input into a SOQL query to prevent injection attacks.
Implement Proper Sharing Settings Set appropriate sharing settings on objects based on user roles and profiles to control access.
Enforce Field-Level Security (FLS) for Create Operations Verify if users have the necessary permissions to access and modify the fields involved before allowing them to create records.
Avoid Hardcoding IDs Use dynamic queries or custom settings instead of hardcoding record IDs in code.
Bulkify Apex Methods Using Collections Design Apex methods to process collections of records efficiently instead of processing them one by one in a loop.
Ensure Field-Level Security (FLS) for Update Operations Verify that users have the required permissions to modify the fields being updated before updating records.
Secure CRUD Delete Operations Implement proper validation and authorization checks before allowing users to delete records.
Include Assert Statements in Test Methods Verify the expected behavior of code and detect any unexpected changes by including assert statements in test methods.
Avoid SOSL SOQL Statements Inside Loops Move SOSL or SOQL queries outside of loops to minimize query execution and reduce the risk of hitting governor limits.
Prevent Async Future Methods Inside Loops Avoid calling asynchronous future methods inside loops to prevent excessive resource consumption and potential governor limit issues.
Refrain from Hardcoding Trigger New Instances Utilize dynamic instantiation instead of hardcoding new instances of triggers to enhance code flexibility and maintainability.
Avoid DML Statements Inside Loops Perform DML operations outside of loops to minimize the number of database transactions and improve performance.
Include Where and Limit Clauses in Queries Always include WHERE and LIMIT clauses in queries to filter and limit the amount of data returned from the database.
Remove Debug Logs in Production Disable or remove debug logs from production code to prevent sensitive information exposure and improve performance.
Ensure Secure Storage of Sensitive Data Encrypt sensitive data at rest and in transit, and implement proper access controls to protect against unauthorized access.
Prevent Sensitive Information in Debug Statements Avoid logging sensitive information such as passwords or personal data in debug statements to prevent exposure in logs.
Avoid Sharing Violations Correctly configuring sharing rules and sharing settings prevents unauthorized access to data.
Enforce CRUD/FLS Security Use Apex managed sharing, field-level security, and object-level permissions to enforce CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) security.
Address Insecure Endpoints Review and secure any external endpoints or integrations to prevent security vulnerabilities such as injection attacks or data exposure.

2. LWC/Aura Components Security Checklist

Checklist Name Description
Avoid Creating and Binding Elements to the Document Object Use LWC or Aura component attributes and properties for dynamic rendering instead of directly manipulating the DOM using document methods.
Recommended to Keep CSS within the Component’s CSS File Rather Than Using Inline Styles Define CSS styles within the component’s CSS file to maintain separation of concerns and improve code maintainability.
Refrain from Hardcoding References to Static Resources Ensure flexibility and compatibility across environments by using relative paths or dynamic references to static resources.
Avoid Changing the DOM in the afterRender Lifecycle Hook Use the afterRender hook sparingly and avoid directly modifying the DOM to prevent unexpected behavior and performance issues.
Prevent DML Operations in the doInit, ConnectedCallback and renderedCallback Function Maintain separation of concerns and improve code readability by limiting DML operations in lifecycle hooks.
Avoid SOQL Queries Inside Loops, especially in doInit or Aura Iterations Minimize query execution and reduce the risk of hitting governor limits by moving SOQL queries outside of loops.
Remove All Console Logs in Production Prevent sensitive information exposure and improve performance by disabling or removing all console.log statements in production code.
Guard Against CSRF (Cross-Site Request Forgery) Attacks Implement CSRF protection mechanisms such as CSRF tokens or same-site cookie attributes to prevent unauthorized requests from malicious sources.
Address Lightning Component CSS Load Vulnerabilities Prevent CSS injection attacks and ensure only trusted stylesheets are loaded by reviewing and securing CSS loading mechanisms.
Address Lightning Component Insufficient Escaping Vulnerabilities Prevent XSS (Cross-Site Scripting) attacks and ensure user input is sanitized before rendering by properly escaping dynamic data.
Be Mindful of Async Code Vulnerabilities in Aura Components Prevent race conditions, data inconsistency, and potential security vulnerabilities by carefully handling asynchronous code.
Prevent CSS Loading Outside of Component Scope Prevent unintended styling conflicts and maintain encapsulation by scoping CSS styles to the component.
Ensure Proper Removal of Event Listeners from the DOM on Unrender Prevent memory leaks and improve performance by removing event listeners when the component is unrendered.
Limit Event Firing to Controller or Component Files, Avoid in Renderers Maintain code organization and avoid unnecessary event propagation by controlling event firing to specific controller or component files.
Avoid Changing Component Attributes During Render Cycles to Prevent Render Loops Prevent infinite loops and improve rendering performance by refraining from modifying component attributes during rendering.
Guard Against Cross-Site Scripting (XSS) Prevent XSS vulnerabilities in LWC and Aura components by sanitizing user input and properly escaping dynamic data.
Guard Against Insecure Session Cookie Handling Improve security and prevent session hijacking by implementing secure session cookie handling practices such as HttpOnly and Secure flags.
JavaScript Libraries Locker Check Prevent security vulnerabilities and ensure compatibility with Locker Service by reviewing and validating third-party JavaScript libraries used in components.

3. Visualforce Pages

Checklist Name Description
Avoid Including Multiple Forms in Visualforce Pages to Prevent Conflicts Ensure proper handling of form submissions and avoid conflicts by restricting each Visualforce page to containing only one ‘’ tag.
Refrain from Manipulating the Salesforce DOM with JavaScript Prevent unexpected behavior and potential security vulnerabilities by avoiding direct manipulation of the Salesforce DOM structure using JavaScript. Utilize standard Visualforce components and controllers for dynamic interactions.
Ensure the Use of Secure and Supported Software Versions for Visualforce Development Mitigate security risks and ensure compatibility with platform updates by keeping the Visualforce development environment up to date with the latest secure and supported software versions, including Salesforce releases, browser versions, and any third-party libraries or frameworks.

Tools Recommended

These are tools that can help to address the Security review Vulnerabilities: 

    • Salesforce Code Analyzer :A useful open-source tool for scanning code, identifying issues, and improving code quality by integrating it into your CI/CD process. Currently, it supports the PMD rule engine, PMD Copy Paste Detector, ESLint, RetireJS, and Salesforce Graph Engine 
    • Chimera: A cloud-based scanner service for running scans on third-party websites, but it’s only applicable to sites you own or can provide a token for.
    • Source Code Scanner (Checkmarx) — Source Code Scanner lets you schedule scans, download scan reports, search all the scans for your org, and manage scan credits for your orgs.
    • ZAP – An open-source web scanner from and can be used to scan third-party websites.
    • Retire.js – Insecure libraries can be risky for your web app, especially with “Using Components with Known Vulnerabilities” being part of the OWASP Top 10. Retire.js aims to identify versions with known vulnerabilities to improve your app’s security.
    • National Vulnerability Database – The NVD serves as the U.S. government’s repository for vulnerability management data, utilizing the Security Content Automation Protocol (SCAP).


As you navigate through the Salesforce AppExchange Security Review process, armed with the insights and tools outlined in this guide, consider delving into our companion blog, “Success Guide: How to Pass Salesforce AppExchange Review,” for additional clarity and simplicity in your journey. Remember, each step brings you closer not just to compliance, but also to building trust and confidence among your users.

By proactively addressing vulnerabilities and embracing best practices, you’re not just securing your app—you’re setting a standard for excellence in Salesforce app development. Keep navigating with confidence, and let your app shine on the AppExchange!

Share this post:

Discover more articles