Cryptographic Failures

Sensitive information should never be included in logs. While logging all information may be helpful during development, it's important to make sure that any sensitive user data and system information are not accidentally exposed. Debug logs should not contain any sensitive data such as usernames, passwords, contact information, PII, etc.).

Enforcing HTTPS is an essential step to protecting your application and users from attacks. Using non-secure endpoints in your integrations exposes your application and users to significant security risks.

Data placed in the localStorage persists after a session is closed, and thus, any actor with access to the browser will be able to obtain it. Furthermore, data in the localStorage or in the sessionStorage is visible to scripts that are running on the browser, and these scripts could belong to malicious third parties. Therefore, no sensitive or session information should be stored in the client-side storage.

A recurring problem when developing applications is that people may accidentally hardcode and commit secrets to their remote Git repositories. Secrets include keys, passwords, API tokens, and other sensitive information. Secrets exposed in this way must be treated as compromised and be replaced, which can be costly.

In Apex, developers can use the System.Crypto class to implement various encryption algorithm, however some algorithms such as SHA1, MD5 are no longer considered secure by today's standards.