How to Secure Salesforce Lightning Web Components: A Developer Playbook for LWC Security

Your Lightning Web Components passed code review. They deployed clean. But if your Apex skips field-level security and your events bubble CRM data to every ancestor component on the page, you shipped a vulnerability anyway. Evelyn McMichael-Maguire, 10x Salesforce Certified developer, author of the Salesforce Lightning Web Component Cookbook, and incoming CrowdStrike engineer, joins host Matt Meyers, Salesforce CTA and CoFounder and CEO of EzProtect, to break down the security decisions developers get wrong when building LWCs. Three principles from this session: → Lightning Web Security enforces namespace isolation. It does not enforce field-level security, CRUD, input validation, or event propagation. Those decisions are yours. → Every custom event should default to bubbles false and composed false. If your event carries record IDs or PII with composed true, any ancestor component can intercept it. → Run ESLint with LWS config locker and test under both Lightning Locker and Lightning Web Security before every deployment. One architecture's success is the other's type error. If you are not reviewing what your code exposes before you deploy, you are shipping the vulnerability with it. In this session: Salesforce LWC security, Lightning Web Components, Lightning Web Security, LWS, Lightning Locker, event propagation, bubbles composed, field-level security, Lightning Data Service, ESLint, LWS distortion viewer, feature flags, custom permissions, Apex controller security, input validation, Salesforce developer, Salesforce architect, Salesforce security, Evelyn McMichael-Maguire, Matt Meyers, EzProtect #salesforce #salesforceadmin #salesforceapex #salesforcedevelopers #security #securitybreach ➡️ Download the official guide to protect your data from hackers in Salesforce https://ezprotect.io/platform/ Timecodes 0:00 Session kickoff and housekeeping 2:16 Matt Meyers introduction 2:41 Evelyn McMichael-Maguire introduction 4:13 EzProtect overview 5:09 Last Office Hours recap: Auditing connected apps before migrating to ECA 5:49 Hot off the press: Salesforce AI data sharing opt-out 7:06 What developers get wrong about LWC security 7:21 Lightning Web Security vs Lightning Locker overview 11:23 The line between platform security and developer responsibility 13:46 Six lines of code that ship a vulnerability 18:24 Code example: LWS-compatible modal with event dispatching 22:23 Event properties: how bubbles and composed decide who gets your CRM data 24:54 Five nested components: event propagation demo 26:30 ESLint and the LWS Distortion Viewer 29:10 Feature flags with custom permissions 33:37 What to do before your next deployment 34:53 Key takeaways 36:12 Upcoming sessions and resources 37:14 Audience Q&A 44:25 Vibe coding and AI-generated code security 47:10 Static resource supply chain risks 51:07 Book giveaway and wrap-up 🔔 Subscribe to EzProtect - For Salesforce Best Practices here    / @mattmeyers-cta   📚Learn More About Virus Scanning in Salesforce ➡️ https://www.ezprotect.io 📚Learn Common Virus Scanning Myths in Salesforce https://ezp.fyi/3NeZY48 📆 Book a time to talk with us https://ezprotect.io/schedule ----------------SOCIAL--------------- ✅ Twitter:   / ezprotect   ✅ Instagram:   / ezprotect.co   ✅ LinkedIN:   / matt-meyers-cta