You are here:
Lightning Loader API Version Control
Enabling the latest Lightning Locker API version is a security control that ensures all Lightning components in your organization are governed by the most recent security patches.
Control Name
Lightning Loader API Version
Recommended Configuration
- Use security enhancements in API version - select the most recent API version where the components worked correctly
Setup>Session Settings>Lightning Locker API Version.
Control Overview
Enabling the latest Lightning Locker API version is a security control that ensures all Lightning components in your organization are governed by the most recent security patches and architectural enhancements provided by Salesforce. By selecting the current version in Session Settings, administrators force components to adhere to the latest browser-level protections—such as refined DOM isolation and cross-site scripting (XSS) mitigations—ensuring that even legacy components benefit from modern defense-in-depth strategies.
Security Risk If Not Configured
Not enabling the latest Lightning Locker API version leaves your organization exposed to known security vulnerabilities and Cross-Site Scripting (XSS) risks.
Threat Scenarios
In an environment running an outdated Lightning Locker API version, a threat actor or a malicious managed package could exploit known, unpatched vulnerabilities that are strictly blocked in the latest versions. By leveraging these older, less-restrictive security rules, the attacker can execute arbitrary JavaScript to bypass DOM isolation, allowing them to silently scrape sensitive data from other components or hijack the user's session without detection.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
The primary risk impact is leaving your organization vulnerable to known, patched security flaws while simultaneously increasing the likelihood of performance degradation and integration failures as legacy isolation rules fall out of sync with modern browser security standards.
Higher Risk When
The risk of data exfiltration is significantly amplified by permissive Content Security Policy (CSP) or CORS configurations, which can inadvertently allow unauthorized scripts to run or provide a clear path for sending stolen data to malicious external domains.
Low or No Risk When
To minimize the risk when the latest Lightning Locker API version is not yet enabled, organizations should implement a Strict Content Security Policy (CSP) to prevent the execution of unauthorized scripts and block data exfiltration to untrusted domains.
Business and Integration Considerations
Implementing the latest Lightning Locker API version requires thorough regression testing in a sandbox to ensure that custom components and third-party managed packages remain compatible with updated security restrictions—such as stricter HTML sanitization and blocked JavaScript APIs—which could otherwise lead to functional breakages or runtime errors.
Recommended Remediation
Enable the latest API version. Lightning Locker enhances security with each API Update.
Security Health Review Guidance
N/A - Currently not inspected by the Security Health Review tool.
