You are here:
Lightning Web Security Control
Enabling Lightning Web Security (LWS) is a security control that replaces the legacy Lightning Locker architecture with a modern, virtualization-based sandbox for Lightning components.
Control Name
Lightning Web Security
Recommended Configuration
- Use Lightning Web Security for Lightning web components and Aura components
Setup>Session Settings>Use Lightning Web Security for Lightning web components and Aura components.
Control Overview
Enabling Lightning Web Security (LWS) is a security control that replaces the legacy Lightning Locker architecture with a modern, virtualization-based sandbox for Lightning components. It isolates components from different namespaces within their own JavaScript sandboxes and uses "distortions" to dynamically modify potentially unsafe APIs, preventing malicious code from interfering with other components or accessing unauthorized data while maintaining high performance.
Security Risk If Not Configured
Not enabling Lightning Web Security (LWS) increases the risk of cross-namespace data exfiltration and DOM-based attacks, as components from different sources may lack the robust virtualization needed to prevent them from accessing each other’s private data.
Threat Scenarios
A user unknowingly installs a malicious or compromised third-party Lightning component that, in the absence of Lightning Web Security's virtualization, can bypass namespace boundaries to access the global JavaScript environment and the DOM of other components. This allows the rogue component to silently scrape sensitive record data or capture user inputs from legitimate Salesforce components on the same page and exfiltrate the information to an external attacker-controlled server.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Risk increases with lack of Secure Development Lifecycle that assesses the components deployed on the platform.
Higher Risk When
Lack of CSP to block unauthorized data exfiltration and restrict the execution of untrusted external scripts.
Low or No Risk When
To minimize the risk when Lightning Web Security (LWS) is not yet enabled, organizations should strictly enforce a Refined Content Security Policy (CSP) to block unauthorized data exfiltration and restrict the execution of untrusted external scripts.
Additionally, performing Rigorous Security Reviews of all third-party managed packages and custom components—combined with Salesforce Shield Event Monitoring to detect anomalous data access patterns—provides a critical layer of defense against potential cross-namespace exploits.
Business and Integration Considerations
The primary integration and business considerations when enabling Lightning Web Security (LWS) involve performing a comprehensive audit of existing Aura and third-party components, as the transition from Lightning Locker may require refactoring JavaScript that directly manipulates the global window object or uses "use strict" in ways that conflict with the new virtualization sandboxes.
Recommended Remediation
Enable the Lightning Web Security in Session Settings.
Security Health Review Guidance
Security Health Review inspects the Session Security Settings to verify the Lightning Web Security is in place to secure web and aura components.
