function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
John Manager Training DepJohn Manager Training Dep 

Is it safe to use Salesforce workbench for modifying Apex class and trigger in production org?

Hi Team,

Salesforce workbench seems to be easy to migrate, delete or perform other actions on the salesforce PROD(as well as lower) environments.

I am not sure who is the developer of Salesforce workbench and is it safe to use it in our Salesforce Production environment?
Can the developer of Salesforce workbench hack my company information?
Khan AnasKhan Anas (Salesforce Developers) 
Hi John,

Greetings to you!

Ryan Brainard is the workbench developer. According to Workbench "Terms and Conditions":

Workbench is free to use but is not an official salesforce.com product. Workbench has not been officially tested or documented. salesforce.com support is not available for Workbench.

No Warranty. WORKBENCH IS PROVIDED "AS-IS," EXCLUSIVE OF ANY WARRANTY WHATSOEVER. SFDC DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. WORKBENCH IS NOT A PRODUCT OF SFDC AND IS NOT SUPPORTED BY SFDC IN ANY WAY. Workbench may contain bugs or errors. Any production use of Workbench is at Your sole risk. You acknowledge that SFDC may discontinue making Workbench available to You at any time in its sole discretion.

According to Ryan Brainard (Workbench Developer): https://salesforce.stackexchange.com/questions/1733/is-hosted-workbench-officially-run-supported-by-salesforce

Workbench does not have its own database, so nothing is stored long term. The only storage Workbench has is a Redis cluster used for short-term session management and background process queuing. Individual users' settings are stores in browser cookies. So, to answer your questions specifically:
  1. Bulk CSV/XML queries and their results are not stored in Workbench at all. All processing is done on the SFDC side and Workbench is just proxying the data.
  2. Uploaded files are stored temporarily for the life of the transaction and then destroyed.

Security Policy: https://github.com/forceworkbench/forceworkbench/wiki#security

What is CSRF and how should I configure CSRF protection in Workbench?
CSRF stands for Cross-Site Request Forgery, which is an attack where hackers trick users into inserting or manipulating data on their behalf through a web site the user trusts. To protect Workbench and your data against these types of attacks, CSRF protection is integrated into Workbench and relies on a "secret" stored on your Workbench instance. It is highly recommended that you change the default secret to something that only you have access to. You can do this by going to your config/overrides.php file, finding the "CSRF SECURITY SETTINGS" section, changing the default "CHANGE ME", and uncommenting the line by removing the leading double backslashes.

In addition to the standard CSRF protection in Workbench, you can also enable Login CSRF Protection to block programmatic logins to Workbench, which could be used as an attack. Note, if Login CSRF Protection is enabled, benign programmatic logins such as those from Workbench Tools for Firefox will also be blocked. To enable Login CSRF Protection, add the following line to your config/overrides.php file:

$config\["loginCsrfEnabled"\]\["default"\]=true;

How do I require end-to-end SSL? By default, Workbench uses HTTPS (SSL) to connect to Salesforce, but the connection from your computer to Workbench is determined by your server configurations. To require Workbench to enforce end-to-end SSL, add the following line to your config/overrides.php file:

$config\["requireSSL"\]\["default"\]=true;

How do I block or only allow certain orgs to use my Workbench instance?
Workbench 22.0.1 introduced a blacklist/whitelist feature admins can configure to do just this. In your config/overrides.php file, find the "ORG ID WHITELIST / BLACKLIST" section and follow the instructions to add or remove organizations.

I hope it helps you.

Kindly let me know if it helps you and close your query by marking it as solved so that it can help others in the future. It will help to keep this community clean.

Thanks and Regards,
Khan Anas
John Manager Training DepJohn Manager Training Dep
Thanks for details response!

Does it also remove their associated components (e.g. Aura, VisualForce)?