Frequently Asked Questions (FAQs)

How is the data transmission secured between client API and Server Rest API?

Conga Digital Commerce SDK uses encrypted communication between client and server using AES 128 encryption. Also, have timestamped endpoint and are valid only for 30 seconds. If it takes more time then the request is not valid.

How is data protected from Cross site Scripting (XSS)?

To systematically block XSS bugs, Conga Digital Commerce treats all values as untrusted by default. When a value is inserted into the DOM whether it's from a template, property, attribute, binding, or interpolation, angular sanitizes and escapes untrusted values.

How is data protected from SQL Injection attack?

Digital Commerce sanitizes user input before it is converted to query and send to the server such as escape special characters etc.

How secure is the user login from Angular to Salesforce Server? How is the session's secured from any intruder attack?

Use standard salesforce standard authentication using an access token. Use standard OAuth protocol to generate an access token. Also, go through communities security for data access.

How secure are the queries triggered from Angular Client API to Salesforce for Search, Product details etc..?

All user input is sanitized and a custom parser in SDK is used to generate queries. Salesforce E-Commerce interface has further validation on SQL queries, on the server-side before data is accessed from Salesforce.

What best practices should be followed, when SDK components & services are extended or customized to avoid exposing any security vulnerability?

Setup strong security model as the salesforce org level using standard salesforce security framework (roles, profiles, permission sets etc.). SDK does not circumvent Salesforce security in any way.

Use standard SDK mechanisms for extending services, models, interface for any customization without circumventing the SDK architecture to integrate and interface with Salesforce.