Conga Digital Commerce SDK uses encrypted communication between client and server using AES 128 encryption. Also, have timestamped endpoint and are valid only for 30 seconds. If it takes more time then the request is not valid.
To systematically block XSS bugs, Conga Digital Commerce treats all values as untrusted by default. When a value is inserted into the DOM whether it's from a template, property, attribute, binding, or interpolation, angular sanitizes and escapes untrusted values.
Digital Commerce sanitizes user input before it is converted to query and send to the server such as escape special characters etc.
Use standard salesforce standard authentication using an access token. Use standard OAuth protocol to generate an access token. Also, go through communities security for data access.
All user input is sanitized and a custom parser in SDK is used to generate queries. Salesforce E-Commerce interface has further validation on SQL queries, on the server-side before data is accessed from Salesforce.
Setup strong security model as the salesforce org level using standard salesforce security framework (roles, profiles, permission sets etc.). SDK does not circumvent Salesforce security in any way.
Use standard SDK mechanisms for extending services, models, interface for any customization without circumventing the SDK architecture to integrate and interface with Salesforce.