Enhanced Security for Lightning Apps

New update that strengthens the security of cross-site request forgery (CSRF) tokens for Lightning apps.

With this update, each Lightning app will have a unique CSRF token, ensuring that the token is only used within its intended context.

Additionally, They have improved the handling of invalid and expired tokens.

📢 What's New?

This update was initially available in Spring '23 and was initially planned to be enforced in Summer '23.

However, we have extended the enforcement date to Winter '24 to provide more time for a smooth transition.

🌟 Where Does It Apply?

This change affects Lightning apps, including Lightning Experience, as well as all versions of the Salesforce mobile app.

Please note that this change does not apply to Lightning Out apps.

⏰ When Will It Be Enforced?

Starting Winter '24, Salesforce will enforce this update for all organizations.

For sandboxes, enforcement will begin in Summer '23.

To find out the exact major release upgrade date for your instance, simply go to Trust Status, search for your instance, and click on the maintenance tab.

🤔 Why Is This Important?

Cross-site request forgery (CSRF) is a common vulnerability in web applications, where a malicious application tricks a user's client into performing unwanted actions on a trusted site where the user is authenticated.

By implementing unique and random CSRF tokens, we add an extra layer of protection against CSRF attacks.

🔍 How to Test and Activate the Update?

To test this update, we recommend working in a sandbox environment where the release update is enforced starting Summer '23.

If you need to disable the release update in your sandbox, please reach out to your Salesforce account executive.

In a production org, you can activate the release update from the Setup menu.

Simply search for "Release Updates" in the Quick Find box and select the corresponding option.

Then, follow the provided testing and activation steps for the "Security Enhancements for CSRF Tokens for Lightning Apps."