Clickjack Protection Control

Control Name

Clickjack Protection

Recommended Configuration

• Enable clickjack protection for Setup pages
• Enable clickjack protection for non-Setup Salesforce pages
• Enable clickjack protection for customer Visualforce pages with standard headers
• Enable clickjack protection for customer Visualforce pages with headers disabled

Setup>Session Settings>Clickjack Protection>Enable all clickjack protection options.

Control Overview

To protect your organization from UI redress attacks, Salesforce provides Clickjack Protection settings that prevent malicious websites from embedding your Salesforce pages, such as Setup or custom Visualforce pages, within an invisible iframe.

Security Risk If Not Configured

Not enabling clickjack protection exposes your users to UI Redress attacks, where an attacker embeds your Salesforce pages into an invisible iframe on a malicious site to trick them into performing unintended actions like deleting records or granting permissions. This oversight creates a high risk of unauthorized data modification and account compromise, as legitimate user interactions are hijacked to execute malicious commands without the user's knowledge.

Threat Scenarios

An attacker lures an authenticated Salesforce user to a malicious website that hosts an invisible iframe of a sensitive Salesforce page, such as a User Deactivation or Record Deletion screen, directly over a decoy button like "Claim Your Prize." When the user clicks the decoy, they unknowingly execute the hidden Salesforce command, potentially resulting in the unauthorized deletion of critical customer data or the elevation of an attacker's own system permissions without any visible warning.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

The core risk impact involves a critical compromise of data confidentiality and system integrity, where the exploitation of unmitigated vulnerabilities leads to unauthorized data exfiltration, fraudulent administrative actions, and severe regulatory non-compliance.

Higher Risk When

The risk is significantly heightened by an overly permissive Trusted Domains list, which can allow untrusted or compromised external sites to bypass framing restrictions and host invisible Salesforce components. Additionally, neglecting to enable clickjack protection for custom Visualforce pages or Experience Cloud sites while only securing the internal setup creates a vulnerable "backdoor" for attackers to target non-administrative users.

Low or No Risk When

To minimize the risks of clickjacking, organizations can utilize Trusted Domains for Inline Frames to explicitly whitelist only authorized external sites, ensuring that framing is restricted to known-safe environments. Additionally, adopting Lightning Web Components (LWC) with secure API integrations allows for native data rendering without the need for iframes, effectively eliminating the primary attack vector while maintaining a Least Privilege model to limit the potential damage of any accidentally hijacked clicks.

Business and Integration Considerations

Implementing clickjack protection requires a comprehensive audit of all external portals and third-party applications that iframe Salesforce pages to ensure they are correctly allowlisted, as overly restrictive settings can break business-critical integrations and customer-facing workflows.

Recommended Remediation

Enable the clickjack protection in Salesforce Session Settings.

Security Health Review Guidance

Security Health Review inspects the session settings setup of the org to verify that clickjack protection is enabled in alignment with best practices.