You are here:
Security Considerations for Flows
When designing flows, keep these security considerations in mind.
Required Editions
| View supported editions. |
Flow Interviews
When a user session expires, in-progress flow interviews are interrupted and can’t be resumed. If the flow executed actions, such as a Create Records or Post to Chatter element, those actions aren’t rolled back. But other progress through the interview, such as what the user entered on the screen, is lost.
- Set your session timeout settings to log out users after an appropriate period.
- Encourage your users to pay attention during interviews for alerts about their sessions expiring soon.
- Remind users to avoid running flows during release upgrades. A typical upgrade takes about 5 minutes.
Paused or waiting flow interviews aren’t affected by expired user sessions.
Shield Platform Encryption
You can’t filter or sort records by encrypted fields for these elements and resources.
- Update Records element
- Delete Records element
- Get Records element
- Record Choice Set resource
Screen Flow Inputs
For enhanced security, remove all HTML from publicly accessible input fields in screen flows. For example, an input field on a publicly accessible screen flow is mapped to a rich text field in Salesforce. To prevent a malicious URL from accessing the rich text field, create a separate flow on the object to strip out the HTML. Optimize the new flow for fast field updates, and set it to run whenever the input field isn’t blank. Because several sources can write to a publicly accessible input field, check for HTML at the field level and not at the screen level.
You can also use an existing Apex trigger on the object to strip out the HTML.
