Salesforce Developer Security Api Consideration

salesforce-developer-security

// Salesforce - Developer - Security - API Considerations:

1. API access to an org allows a user to bypass presentation layer controls 
   (Visualforce pages, standard page layouts) and comes with some unique 
   situations to be aware of.

2. API queries rely completely on pre-configured FLS/CRUD/Sharing. If these 
   items are not correctly configured, data may be unintentionally exposed. This 
   is common for portal users where data access is decided in Visualforce & Apex.

3. Some objects do not allow FLS/CRUD/Sharing to be configured. Examples of this 
   include custom settings in the local namespace, and Work.com objects such as 
   Thanks.

4. API access allows easy mass extraction of data. Some kinds of data are less 
   sensitive individually but increasingly sensitive in large numbers.

5. It may sound like API access is something to avoid, but currently many mobile 
   apps require users to have API access. The best approach is to make sure 
   CRUD / FLS / Sharing are scoped correctly, so that a user should have access 
   to everything available through the API.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License