Skip to main content

Development

Apex Security Best Practices for Salesforce Applications

Digital Security Concept

As businesses increasingly rely on Salesforce to manage their critical data, ensuring data security has become more important than ever. Apex, Salesforce’s proprietary programming language, runs in system mode by default, bypassing object- and field-level security. To protect sensitive data, developers need to enforce strict security measures.

This blog will explore Apex security best practices, including enforcing sharing rules, field-level permissions, and user access enforcement to protect your Salesforce data.

Why Apex Security is Critical for Your Salesforce Applications

Apex’s ability to bypass security settings puts the onus on developers to implement proper Salesforce security practices. Without these protections, your Salesforce application might unintentionally expose sensitive data to unauthorized users.

By following best practices such as enforcing sharing rules, validating inputs, and using security-enforced SOQL queries, you can significantly reduce the risk of data breaches and ensure your app adheres to the platform’s security standards.

Enforcing Sharing Rules in Apex to Maintain Data Security

Sharing rules are central to controlling data access in Salesforce. Apex doesn’t automatically respect these sharing rules unless explicitly instructed to do so. Here’s how to enforce them in your Apex code:

Using with sharing in Apex Classes

  • with sharing: Ensures the current user’s sharing settings are enforced, preventing unauthorized access to records.
  • without sharing: Ignores sharing rules and is often used for administrative tasks or system-level operations where access should not be restricted.
  • inherited sharing: Inherits sharing settings from the calling class.

Best Practice: Always use with sharing unless you explicitly need to override sharing rules for specific use cases. This ensures your code complies with Salesforce security standards.

Example

public class AccountHandlerWithSharing {
    public void fetchAccounts() {
        // Ensures that sharing settings are respected
        List<Account> accounts = [SELECT Id, Name FROM Account];
    }
}
public class AccountHandlerWithoutSharing {
    public void fetchAccounts() {
        // Ignores sharing settings and returns all records
        List<Account> accounts = [SELECT Id, Name FROM Account];
    }
}

Enforcing Object and Field-Level Permissions in Apex

Apex operates in a system context by default, bypassing object- and field-level security. You must manually enforce these security measures to ensure your code respects user access rights.

Using WITH SECURITY_ENFORCED in SOQL Queries

The WITH SECURITY_ENFORCED keyword ensures that Salesforce performs a permission check on fields and objects in your SOQL query, ensuring that only accessible data is returned.

Example

List<Account> accounts = [
    SELECT Id, Name
    FROM Account
    WHERE Industry = 'Technology'
    WITH SECURITY_ENFORCED
];

This approach guarantees that only fields and objects the current user can access are returned in your query results.

Using the stripInaccessible Method to Filter Inaccessible Data

Salesforce provides the stripInaccessible method, which removes inaccessible fields or relationships from query results. It also helps prevent runtime errors by ensuring no inaccessible fields are used in DML operations.

Example

Account acc = [SELECT Id, Name FROM Account LIMIT 1];
Account sanitizedAcc = (Account) Security.stripInaccessible(AccessType.READABLE, acc);

Using stripInaccessible ensures that any fields or relationships the user cannot access are stripped out of the Account record before any further processing.

Apex Managed Sharing: Programmatically Share Records

Apex Managed Sharing can be a powerful tool when you need to manage record access dynamically. This feature allows developers to programmatically share records with specific users or groups.

Example

public void shareRecord(Id recordId, Id userId) {
    CustomObject__Share share = new CustomObject__Share();
    share.ParentId = recordId;
    share.UserOrGroupId = userId;
    share.AccessLevel = 'Edit'; // Options: 'Read', 'Edit', or 'All'
    insert share;
}

This code lets you share a custom object record with a specific user and grant them Edit access. Apex Managed Sharing allows more flexible, dynamic record-sharing controls.

Security Tips for Apex and Lightning Development

Here are some critical tips for improving security in your Apex and Lightning applications:

Avoid Hardcoding IDs

Hardcoding Salesforce IDs, such as record IDs or profile IDs, can introduce security vulnerabilities and reduce code flexibility. Use dynamic retrieval to retrieve IDs, and consider using Custom Settings or Custom Metadata for more flexible and secure configurations.

Validate User Inputs to Prevent Security Threats

It is essential to sanitize all user inputs to prevent threats like SOQL injection and Cross-Site Scripting (XSS). Always use parameterized queries and escape characters where necessary.

Use stripInaccessible in DML Operations

To prevent processing inaccessible fields, always use the stripInaccessible method when handling records containing fields restricted by user permissions.

Review Sharing Contexts to Ensure Data Security

Ensure you use the correct sharing context for each class or trigger. Avoid granting unnecessary access by using with sharing for most of your classes.

Write Test Methods to Simulate User Permissions

Writing tests that simulate various user roles using System.runAs() is crucial to ensure your code respects sharing rules, field-level permissions, and other security settings.

Conclusion: Enhancing Salesforce Security with Apex

Implementing Apex security best practices is essential to protect your Salesforce data. Whether you are enforcing sharing rules, respecting field-level permissions, or programmatically managing record sharing, these practices help ensure that only authorized users can access sensitive data.

When building your Salesforce applications, always prioritize security by:

  • Using with sharing where possible.
  • Implementing security-enforced queries.
  • Tools like stripInaccessible can be used to filter out inaccessible fields.

By adhering to these practices, you can build secure Salesforce applications that meet business requirements and ensure data integrity and compliance.

Further Reading on Salesforce Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Nikhil Pachbhai

Nikhil Pachbhai is a Technical Consultant at Perficient with over three years of experience in Salesforce Development (SFDC).

More from this Author

Follow Us