Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Protect Sensitive Information in Your URLs

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Protect Sensitive Information in Your URLs

            To protect sensitive information in your URLs, such as an org ID, enable the referrer-policy HTTP header. When an action in Salesforce makes a request to another URL, the website receiving that request can see information about the origin. For example, when a Salesforce page loads an image, the website where the image lives can see the URL of that Salesforce page. And when you click a link, the website that you visit can see the URL of the Salesforce page where the link lives. The referrer-policy HTTP header controls how much of that URL, or referrer, is shared during that request.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic

            Available in: Essentials, Personal, Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
            User Permissions Needed
            To modify session security settings: Customize Application
            1. From Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.
            2. In the Referrer URL Protection section, select Include Referrer-Policy HTTP header.
              When this setting is enabled, all pages served by Salesforce include the referrer-policy HTTP header. When this setting is disabled, browsers use their default referrer-policy directive, which usually exposes your full URL.
            3. Select an HTTP Referrer Policy.
              1. To send the referrer URL for same-origin requests, to send the origin only for cross-origin requests on the same protocol, and to omit the referrer when the target website is on a downgraded protocol, select strict-origin-when-cross-origin. This is the default.
              2. To never include the referrer, select no-referrer.
              3. To always send the origin only, select origin.
              4. To omit the referrer for cross-origin requests, select same-origin.
              5. To send the origin only for requests with the same protocol level and to omit the referrer when the target website is on a downgraded protocol, select strict-origin.
            4. Save your changes.
            Example
            Example

            Let’s look at how URLs are shared with the strict-origin-when-cross-origin HTTP Referrer Policy.

            Start on your user profile on an Experience Cloud site with the URL https://MyDomainName.my.site.com/pageName/s/profile/userId. When you click a link on your profile to another Experience Cloud site page with the URL https://MyDomainName.my.site.com/pageName, both URLs are on the site.com domain, and both URLs use the HTTPS protocol. So the full URL of your user profile is shared as the referrer.

            That Experience Cloud site page includes an embedded image with the URL http://example.com/images/header_image.png. Loading that image is an example of a request with a downgraded protocol because the site page uses HTTPS but the target URL uses HTTP. The request to load the image includes no referrer information.

            Then you click a link on that Experience Cloud site page to access a report with the URL https://MyDomainName.lightning.force.com/lightning/r/Report/reportId/view. This action initiates a cross-origin request because site.com and force.com are different domains. And both URLs use the same protocol: HTTPS. So in this case, the request includes only the origin as the referrer. The origin is the URL without the path, in this case, https://MyDomainName.my.site.com. A request to an external website on the same protocol, such as https://www.example.com, also includes only the origin as the referrer.

            To help you select a current policy, deprecated policies appear at the end of the HTTP Referer Policy list. These policies aren’t recommended.

            • no-referrer-when-downgrade: This policy isn’t recommended because the full URL of the page is exposed to cross-origin requests to the same or a higher protocol level. For example, requests from HTTPS to HTTPS and requests from HTTP to either HTTP or HTTPS.
            • origin-when-cross-origin: This policy isn’t recommended because multiple browsers no longer support this policy. Select strict-origin-when-cross-origin instead.
            • unsafe-url: This policy isn’t recommended because the full URL of the page is exposed to requests from insecure origins.

            For more information on HTTP Referrer Policy values, including examples, see the Referrer-Policy entry in the MDN Docs HTTP Guide.

            See Also

             
            Loading
            Salesforce Help | Article