惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
小众软件
小众软件
The Last Watchdog
The Last Watchdog
Latest news
Latest news
P
Palo Alto Networks Blog
C
Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
L
Lohrmann on Cybersecurity
P
Privacy International News Feed
NISL@THU
NISL@THU
T
Threat Research - Cisco Blogs
T
Threatpost
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
Spread Privacy
Spread Privacy
T
Tor Project blog
Cyberwarzone
Cyberwarzone
C
Cybersecurity and Infrastructure Security Agency CISA
AWS News Blog
AWS News Blog
S
Securelist
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Simon Willison's Weblog
Simon Willison's Weblog
P
Privacy & Cybersecurity Law Blog
Hugging Face - Blog
Hugging Face - Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
C
CERT Recently Published Vulnerability Notes
V
Visual Studio Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
博客园 - 司徒正美
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
罗磊的独立博客
A
Arctic Wolf
腾讯CDC
WordPress大学
WordPress大学
IT之家
IT之家
Last Week in AI
Last Week in AI
博客园 - 聂微东
P
Proofpoint News Feed
Y
Y Combinator Blog
Apple Machine Learning Research
Apple Machine Learning Research
Hacker News: Ask HN
Hacker News: Ask HN
Help Net Security
Help Net Security
Blog — PlanetScale
Blog — PlanetScale
爱范儿
爱范儿
美团技术团队
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
T
Tailwind CSS Blog

Salesforce

Scale Your MRR: Subscription Management For Small Business Streamlining Commerce Media Ad Inventory Management 12 AI Sales Strategies for Startups That Actually Work Sell Smarter: Ecommerce Metrics To Track For Your Small Business Shop Apply the Orchestration Density Framework to Your Next Automation Decision Wait, Black Friday Planning In Spring? It’s Time to Start Holiday Promotions AI-First Operations, One Process at a Time How BCU Is Transforming Banking Service with Agentforce Salesforce Headless 360: What the Agent Consumer Means for Your Integration Architecture Meet Customers Where They Are: Agentforce Contact Center Now Offers WhatsApp Voice 11 Free Lead Generation Tips for Small and Growing Businesses SFR-VibeTrain: The Agent That Trains Agents Why Technical Accuracy is the Wrong Metric for Agent Success Strengthening Salesforce Security Against AI-Driven Threats Join Us in the Community Hub at Connections 2026 The Best Way To Build AI Agents That Customers Trust 5 Ways AI is Changing the Communication Game For Startups Trust in the Era of Agents: Highlights from the 2nd Annual Trusted AI Impact Report You Can Be an Agentic Enterprise No Matter What Size Business How to Make Your Email Marketing Accessible for Everyone What is Headless? Don’t Lose Your Head, SMBs: It’s a Good Thing Architect the Future UI: Slack as Your Agentic Surface Point of Sale Innovations to Modernize the Shopper Experience Governing the Agentic Enterprise at Scale with MuleSoft Omni Gateway How to Cut Service Time with Case Routing Automation 5 Tips for Marketers to Get Started with Salesforce Flow No One is Vibe Coding Trade Promotion Management 7th Edition State of Sales Report: 3 Growth Trends for Startups and SMBs How the Architect Vista Brought Architectural Thinking to Life at TDX 2026 5 Steps to Develop an Architect Mindset With AI Why AI Isn’t Replacing Developers, It’s Empowering Them 10 Ways to Make Your AI Agent a Better Communicator AI in Design 2025: What Real Use Taught Us. How Salesforce Personalization Learns Which Offers Drive Revenue The 4-Step Guide to Salesforce Agent and Application Development Get Ready for Connections 2026: Top Sessions and New Reveals 8 Ways AI Agents Are Evolving in 2026 4 Principles to Make the Right Salesforce UI Decisions Apprentice Journey Shines a Light on Talent Pathways at Salesforce Agent Script: The Control Plane for Agentic Decisions Scaling the Agentforce Life Sciences Ecosystem to Drive the Future of Pharma and MedTech Unlocking Unstructured Data: Building AI-Powered Support Triage with Data 360 Asking For a Friend: What Are Rich Communication Services (RCS)? 5 Slack Shortcuts For Small Teams 195% ROI In Field Service? Here’s How They Did It Submit Your Architect Session: The Dreamforce 2026 Call for Participation Is Open What Is an AI Assistant for Small Business? B2C Commerce April release: Transforming the B2C developer experience with agents Meet Your 24/7 Prospecting Partner — And 5 More Stand-Out Features In Our April Release 11+ Small Business YouTube Channels You Need to Follow Today Stop Treating Disputes Management Like IT Tickets Limitless Service: A New Operating Model for Growth in the Agentic Era What is Transactional Reconciliation in Email and SMS Marketing? How to Prepare for National Small Business Week (2026) How to Design a High-Scale Multi-Cloud Incident Journey 10 Ways An AI CRM Can Amplify Your Startup Vibe Code Better Agents with Agentforce Free vs. Paid CRM: Which is Right for Your Business? Salesforce Customer Success Awards 2026: Lead Era of the Agentic Enterprise 12 Free Webinars for Small Business Owners (2026) The Agentforce Life Sciences Consultant Certification Maximize Growth: The Power of Partnerships for SMBs Salesforce AI Research at ICLR 2026 Data Protection For Small Business: How To Safeguard Yourself Beyond 100K Tokens: Evaluating AI Agents in Long-Context Software Engineering Top 32 Small Business Tools To Try Today 6 New Innovations Redefining Salesforce Development How to Win the Battle for Attention in the Agentic Email Inbox Mastering the Eisenhower Matrix: Prioritize Like a Pro 10 Signs It’s Time To Upgrade Your CRM and How To Get Started (2026) Celebrating 10 Years of Financial Services Innovation How SMBs Can Gain An Edge With Agentic AI: Key Trends From Our Marketing Report How MAN Truck & Bus is Shaping the Future of Sales with Salesfive Introducing the Future of Salesforce Data Protection: Backup & Recover Next Stop Making AI Slop – Build a Foundation for Authentic AI Content 5 Tips to Help Marketers Navigate AI Email Summaries Data Sharing: Is it Safe? Is it Secure? Everything You Need to Know Small Business Week Readiness: 4 Things to Do Before May (2026) How Salesforce Employees Make an Impact During Earth Month AI Agents Are Advancing Rapidly… Is Your Testing Strategy Keeping Up? What Is Microproductivity and Why Is It Helping So Many Teams? TDX 2026 Roundup: Agentforce Edition 3 Ways Salesforce Connections Has Boosted My Career AI Agents Don’t Just Answer‌ — ‌They Act. Do You Have a Governance Strategy? The Future of MedTech Field Execution is Agentic 5 Steps to Prepare Your Data For an AI CRM From Break/Fix to Profit Engine: Aftermarket Service for Robot OEMs Building Trusted Human-Agent Collaboration: A Practical Framework ISV Strategy for the Salesforce Summer ’26 Release 5 Email Marketing Tips for Small Business Commerce Shops Should You Give Your AI Agent a Human Name? Creating Pathways into AI for People with Disabilities The Organized Chaos of Upfronts: 3 Hurdles Impacting Your Yield Trying to Scale Beyond ‘One-Off’ AI Tasks? You’re Probably Using the Wrong Interface What is Cost Per Lead (CPL)? The Case for Unified CCaaS and CRM — And Why the Data Makes It Clear In the New Era of AI, You Need to Win Over Both Humans and Agents What Is SPIN Selling? A Way to Build Trust With Your Customers G2 Crowns Salesforce as Best Financial Services Software Hidden Insights: The Guide to Tableau For Small Business Owners
The API Security Myth That's Putting Your Data at Risk
Joseph Baba · 2026-06-27 · via Salesforce

In application security, context is everything. We frequently encounter high severity vulnerability reports, screaming “Critical CSRF” or “Session Hijacking,” but upon closer inspection, they reveal a misunderstanding of how APIs actually work. One of the most common misconceptions involves Origin Validation.

Using origin validation to authenticate the API traffic is like securing a building with a paperboard padlock. It looks secure from afar, but anyone with basic tools and knowledge can snap it in a heartbeat. Let us explore why this illusion is so prevalent and how the defence mechanism works. 

In a recent case study on our Messaging for In-App and Web (MIAW) SDK, the researcher demonstrated that a Python script could connect to a chat session and exchange messages, bypassing the official mobile banking app.  The researchers argued that the lack of validation of the Origin header resulted in this critical security failure. 

However, this finding was closed as “working as designed” as validating and replying on Origin headers gives a false sense of security for mobile APIs. The API assumes that possession of valid session credentials implies an authenticated client, regardless of the transport mechanism. In a zero trust architecture, the transport mechanism does not matter, the credentials do. 

To prove their point, researchers provided the following PoC:

The Scenario: The “Rogue” Python Script

The researcher provided a Proof of Concept (PoC) consisting of a Python script:

  1. Hardcoded a specific DEVICE_ID and Session Token.
  2. Send a request to the Salesforce messaging endpoint.
  3. Successfully initiated a chat session from a local machine (localhost) rather than the authorized banking website.

The researcher concluded that “The API fails to validate the request origin and an attacker can hijack the session.”

They suggested enforcing a check on the HTTP Origin or Referer header to ensure requests only come from https://example.com. While this sounds logical, it relies on a fundamental misunderstanding of Client Authority.

Why Origin Validation Fails for APIs

The above finding is a false positive based on the incorrect assumption of Client Authority. To understand why, we need to look at how security boundaries shift when moving from browser environment to script 

1. Browsers vs. Scripts

Engineers design the Origin header as a security feature for web browsers. When you visit a site, the browser automatically attaches this header to cross-site requests, helping servers decide whether to allow them (CORS). CORS is a security mechanism that prevents a malicious website from tricking your browser into making unwanted requests to a trusted domain (like your bank). It relies on the browser to check the “Origin” header and block unauthorized access.

However, an API talks to more than just browsers. It talks to mobile apps, servers, and, in the case of an attacker, scripts.

A Python script (or Curl, or Postman) acts as its own client. It controls every byte of the request. If we implement a rule stating “Only accept requests from https:/example.com,” the attacker simply updates their script:

Python

# The "Fix" Bypass

headers = {

    'Authorization': 'Bearer <stolen_token>',

    'Origin': 'https://bank.com',  # Spoofing the authorized domain

    'Referer': 'https://bank.com'

}

requests.post(api_url, headers=headers)

The server receives the correct header and allows the request. The attacker bypasses the security control with a single line of code.

2. The “Replay” Fallacy

The researcher’s PoC worked because they included a valid DEVICE_ID and Session Token in the script.

This highlights a critical distinction in security: Transport Security vs. Endpoint Compromise.

To execute this attack in the real world, the attacker first needs to acquire the Device ID and Session Token through some form of endpoint, application, or supply-chain compromise. Common vectors include:

  • Infecting the victim’s phone with malware.
  • Executing a Man-in-the-Middle (MITM) attack on the victim’s network.
  • Exploiting vulnerabilities in third-party libraries within the app.

If an attacker achieves this, they effectively own the user’s session. They hold the keys to the house. At that point, the API should honor the request because it carries valid credentials. Blocking the request based on network headers is like checking the ID of a person who is already inside your network. 

The Real Solution: Authenticated Messaging

If network headers cannot prove a request is legitimate, what can? Cryptography.

Instead of asking “Where does this request come from?” (which attackers can fake), ask “Who signed this request?”

For Salesforce MIAW and similar secure APIs, the gold standard is User Verification (Authenticated Messaging).

  1. The Handshake: When the user logs into your mobile app, your backend server generates a JSON Web Token (JWT).
  2. The Signature: Your system cryptographically signs this token using a private key that only you possess.
  3. The Verification: The app sends this signed JWT to Salesforce. We validate the signature against your public key.

Crucially, signed tokens must also be short-lived and scoped appropriately to limit replay risk. By enforcing strict expiration times (e.g., 5 minutes), you minimize the window an attacker has to use a stolen token, even if they manage to intercept it.

Defense in Depth

This approach exemplifies Defense in Depth. Even if the network layer is compromised (e.g., an attacker spoofs an IP or Origin header), and even if the client application is scrapped for generic API keys, the security holds. Why? Because, the requirement for a cryptographic signature acts as an additional layer that operates independently of the transport mechanism. By validating identity at the application layer, one ensures that access remains secure regardless of where the request originates.

If an attacker attempts to use a Python script, they may try to copy a DEVICE_ID, but they cannot generate a valid signed JWT for a new session without your private key. The API rejects the connection, not because the “Origin” looked wrong, but because the attacker failed to prove their Identity.

Key Takeaways for Developers

  • Do not confuse CSRF with API Replay: CSRF attacks trick a browser into doing something on a user’s behalf. API Replay attacks use stolen credentials in a custom, rogue client. They are completely different beasts requiring completely different defenses.
  • Origin headers are for constrained clients (browsers):  Browsers care about origin headers because they live in a constrained sandbox. Mobile APIs and server to server communications do not.
  • Identity over Geography:  Do not rely on the location of a request. Rely entirely on the cryptographic proof of who sent it.

At the end of the day, Security requires building walls that actually stop intruders, not just putting up “Keep Out” signs that attackers simply ignore. Security controls must meaningfully prevent unauthorized actions, not merely signal expected behavior to well-behaved clients.

For more information on securing your messaging sessions, check out the Salesforce guide on User Verification for Messaging for In-App and Web and the Developer Guide for User Verification APIs.

Security best practices

Curious about more ways to bolster the security of your Salesforce org? Check out our guide for additional guidance and resources.