Using custom code safely
Follow these best practices to use custom code in your flows.
Custom code is a feature that lets you create your own code to include in DaVinci flows. It is available in multiple connectors and capabilites, including:
-
Custom HTML template script field
-
Custom Functions
-
Code Snippet fields
Risks
Because custom code fields can run any code provided, they carry additional security risks.
For more information about the risks of custom code, see the Open Worldwide Application Security Project resources.
Recommendations
Follow these recommendations when using custom code fields:
-
Make sure that only trusted users can access DaVinci to add custom code.
-
Make sure that any custom code you plan to use is reviewed before it is added to user-facing flows, regardless of whether the custom code was produced by you or by a third party. You can use Semgrep as a tool for reviewing your code for security vulnerabilities.
-
Make sure that any variables or run-time data that is processed by custom code does not expose sensitive or private information.