Loading
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Limit Interactions with External URLs and Origins

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Limit Interactions with External URLs and Origins

            In our connected world, interaction with external websites and origins is a necessity. To protect your network and data, configure allowlists and enable settings that limit how Salesforce and external origins interact. And limit redirections that originate in Salesforce to URLs that you trust.

            • Manage Trusted URLs
              Specify the URLs that you trust to interact with your users and network. Use Content Security Policy (CSP) directives to control the types of resources that Lightning components, third-party APIs, and WebSocket connections can load from each trusted URL. If you enabled the Permissions-Policy HTTP header in Session Settings, you can also control which URLs can access browser features from Salesforce.
            • Protect Your Org with Updated CSP Directives
              To help protect your org from cross-site scripting and other code-injection attacks, Salesforce updated the delivered content security policy (CSP) directives for Lightning pages in Summer ’24. If your production org was created before June 2024, enable a setting to adopt the latest directives.
            • Manage Redirections to External URLs
              Protect your users from untrusted external redirections away from Salesforce. First, review which kinds of redirections are automatically restricted and your options for restricting hyperlinks in Salesforce. Add the external URLs that you trust to an allowlist. Then specify what happens when a user clicks a hyperlink that takes them outside your Salesforce org.
            • Manage Trusted URL and Browser Policy Violations
              To protect your users, two allowlists specify the URLs that you trust to load resources in Salesforce and the trusted URLs for redirections. Review blocked redirections and the resource requests that your content security policy (CSP) directives blocked. Then, to allow the required resources, update your trusted URLs.
            • Configure Salesforce CORS Allowlist
              Cross-Origin Resource Sharing (CORS) allows web browsers to request resources from other origins. For example, using CORS, the JavaScript for a web application at https://www.example.com can request a resource from https://www.salesforce.com. To allow access to supported Salesforce APIs, Apex REST resources, and Lightning Out from JavaScript code in a web browser, add the requesting origin to your Salesforce CORS allowlist. For Lightning apps that allow web browsers to make requests from their orgs, CORS allowlist prevents requests to Lightning apps unless the request comes from an approved URL. The allowlist is in effect for your My Domain URL and api.salesforce.com.
            • Protect Sensitive Information in Your URLs
              To protect sensitive information in your URLs, such as an org ID, enable the referrer-policy HTTP header. When an action in Salesforce makes a request to another URL, the website receiving that request can see information about the origin. For example, when a Salesforce page loads an image, the website where the image lives can see the URL of that Salesforce page. And when you click a link, the website that you visit can see the URL of the Salesforce page where the link lives. The referrer-policy HTTP header controls how much of that URL, or referrer, is shared during that request.
            • Protect Your Visualforce Pages with Cross-Origin Opener Policy (COOP)
              Help shield your custom Visualforce pages from external attacks. When you enable Cross-Origin Opener Policy (COOP), each top-level custom Visualforce page opens in a new browsing context group. This process prevents direct access between other browser tabs and your Visualforce page and the page’s content.
            • Restrict Page Resource Requests with Cross-Origin Embedder Policy (COEP)
              To safeguard your custom Visualforce pages, only allow content from external sources that trust your page. When you enable the Cross-Origin Embedder Policy (COEP) setting, externally sourced embedded content loads only when the origin explicitly states that your page or domain can load its content. Embedded content can include images, documents, and widgets.
            • Test the Impact of Blocked Salesforce Session Cookies
              To support users that block third-party cookies, test custom functionality and code that uses a Salesforce session cookie.
             
            Loading
            Salesforce Help | Article