sf-security
Implement Salesforce Commerce security across B2C and B2B platforms.
Before Writing Code
Always fetch the latest official documentation BEFORE implementing security controls:
- SLAS Security: WebSearch "Salesforce SLAS OAuth 2.1 security guide 2026" and WebFetch official Commerce API docs
- B2C Commerce Security: WebSearch "Salesforce B2C Commerce security best practices 2026" and WebFetch the security reference
- Salesforce Security Guide: WebSearch "Salesforce security guide OWASP 2026" and WebFetch official documentation
- PCI DSS Requirements: WebSearch "PCI DSS v4 requirements ecommerce 2026" for current compliance standards
Why: OAuth flows, CSRF protection patterns, encoding modes, and PCI requirements evolve. Live docs ensure correct implementation of current security standards.
Conceptual Architecture
Authentication
SLAS (B2C Commerce) -- OAuth 2.1 with PKCE:
| Client Type | Flow | Use Case |
|---|---|---|
| Public (browser/PWA Kit) | authorization_code_pkce | Guest and registered users |
| Private (server-side) | client_credentials | Guest sessions |
| Private (server-side) | authorization_code | Registered users |
| Any | Refresh token | Session extension |
PKCE (Proof Key for Code Exchange) is required for all public client flows. Guest tokens enable anonymous shopping before login.
Salesforce OAuth (B2B Commerce):
| Flow | Use Case |
|---|---|
| Connected Apps | OAuth application registration |
| JWT Bearer | Server-to-server authentication |
| Web Server Flow | User authorization with redirect |
Session Management:
- Secure, random, unpredictable session IDs
- Token expiration with renewal handling
- Secure cookies: HttpOnly, Secure, SameSite attributes
- Session invalidation on logout, timeout, or security events
Token Lifecycle:
| Token | Typical TTL | Storage |
|---|---|---|
| Access Token | 30 minutes | Memory or httpOnly cookie |
| Refresh Token | 30 days | httpOnly cookie (never localStorage) |
| CSRF Token | Per request | Hidden form field or custom header |
XSS Prevention
B2C Commerce (ISML):
| Encoding Mode | Context |
|---|---|
htmlcontent | HTML body text |
htmlsinglequote / htmldoublequote | HTML attributes |
jshtml | JavaScript strings in HTML |
jsonvalue | JSON data |
uricomponent | URL parameters |
Always use <isprint> with explicit encoding. Never use raw ${variable} for user-controlled data. Set Content Security Policy headers to restrict script sources.
B2B Commerce (LWC):
- Automatic encoding in Lightning template expressions
- Lightning Web Security (LWS) replaces Locker Service (Spring '23+)
- Use
textContentinstead ofinnerHTMLin JavaScript - Use
lightning-formatted-*components for safe rendering
Content Security Policy
| Directive | Purpose |
|---|---|
default-src | Fallback for all resource types |
script-src | Allowed script sources (restrict to self and trusted CDNs) |
style-src | Allowed stylesheet sources |
img-src | Allowed image sources |
connect-src | Allowed API/fetch targets |
frame-ancestors | Clickjacking protection |
Configure CSP headers in Business Manager or via server configuration. Use nonce or hash for inline scripts rather than unsafe-inline.
CSRF Protection
B2C Commerce: Validate tokens with CSRFProtection.validateRequest() in controllers. Generate tokens with CSRFProtection.generateToken(). Include hidden token fields in all state-changing forms. Use double-submit cookie pattern for AJAX.
B2B Commerce: Built-in Salesforce CSRF protection. <lightning-input> includes tokens automatically. @AuraEnabled Apex methods have CSRF protection.
Input Validation
| Layer | Technique |
|---|---|
| Client-side | HTML5 validation, JavaScript checks (UX only, not security) |
| Server-side | Whitelist validation, type checking, length limits |
| Form definitions | SFCC XML form definitions with validation rules |
| Query API | Parameterized queries -- never string concatenation |
Always validate on the server. Client-side validation is a convenience, not a security measure.
PCI Compliance
| Requirement | Implementation |
|---|---|
| Tokenization | Never store raw card numbers; use tokenized payment methods |
| SAQ-A Scope | Use hosted payment fields to minimize PCI scope |
| TLS 1.2+ | Enforce for all API communication and payment processing |
| Log Masking | No card data in application logs |
| Gateway | Use Salesforce Commerce Payments or validated third-party processors |
RBAC (Role-Based Access Control)
B2C Commerce: Business Manager roles (Admin, Merchant, Content) with granular, site-specific permissions. Custom roles for organization-specific needs.
B2B Commerce: Salesforce profiles and permission sets. Buyer permissions control ordering (browse, cart, checkout, approve). Account hierarchy restricts visibility based on relationships.
B2B Sharing Rules:
- Organization-wide defaults set baseline visibility
- Sharing rules grant additional access to specific groups
- Account hierarchies provide implicit sharing up the chain
- Manual sharing for ad-hoc access grants
OWASP Top 10 Protections
| Threat | Mitigation |
|---|---|
| Injection | Parameterized queries via Query API; input whitelisting |
| Broken Auth | SLAS/OAuth best practices; MFA where available; strong password policies |
| Sensitive Data Exposure | Salesforce Shield encryption at rest (B2B); TLS in transit; log masking |
| Security Misconfiguration | Disable dev features in production; change default credentials; suppress stack traces |
| Access Control | Authorization checks on every request; least privilege principle |
| Monitoring | Log authentication events, failed logins, suspicious activity |
Best Practices
Implementation
- Always encode output using the correct mode for context (HTML, JS, URL, JSON).
- Validate input at the boundary -- whitelist acceptable values, reject everything else.
- Implement CSRF protection on all state-changing operations.
- Enforce TLS 1.2+ for all communications.
Credentials and Access
- Rotate API keys, client secrets, and certificates on a regular schedule.
- Grant minimum necessary permissions (least privilege).
- Restrict customer data access to authorized users and systems only.
- Store credentials in Business Manager services or Salesforce Named Credentials, never in code.
Operations
- Log authentication events, failed login attempts, and suspicious activity.
- Audit code for security issues regularly; conduct penetration testing.
- Keep dependencies updated; scan for known vulnerabilities.
- Maintain an incident response plan for security breaches.
Fetch the SLAS OAuth 2.1 guide, B2C Commerce security reference, and Salesforce OWASP documentation for exact token flows, encoding specifications, and compliance requirements before implementing.