Securing Lightning Web Components

1. Locker
Lightning Locker is enabled for all custom Lightning web components. LWC uses Lightning Locker, a powerful security architecture for Lightning components that enhances security by isolating Lightning components in separate namespaces. 

2. LWC offers its own built-in security features, such as sanitization of malformed HTML code and blocking Content Security Policy (CSP)-incompatible code.

Load Assets Correctly
To import a third-party JavaScript or CSS library, use the platformResourceLoader module.

Blocking Inline Script
As part of our CSP implementation, LWC applications inside of Salesforce are blocked from loading an inline script, or calling a script from a template error or event handler. 

Filtering a Dynamic Script
To aid developers with building complex applications on the Salesforce ecosystem, dynamic script evaluation through eval() is enabled.

Add Third-Party APIs to Allowlist
In order to add third-party APIs to an allowlist, you must first add them to CSP Trusted Sites. This option can be found under Setup in your Salesforce org.