Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Content Sniffing Protection Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Content Sniffing Protection Control

            To prevent browsers from incorrectly interpreting files as executable scripts, Salesforce admins should enable "Enable Content Sniffing Protection" within the Session Settings menu.

            Control Name

            Content Sniffing Protection

            Recommended Configuration

            • Enable Content Sniffing protection

            Setup>Session Settings>Content Sniffing Protection.

            Control Overview

            To prevent browsers from incorrectly interpreting files as executable scripts, Salesforce admins should enable "Enable Content Sniffing Protection" within the Session Settings menu to enforce the X-Content-Type-Options: nosniff header.

            Security Risk If Not Configured

            Not enabling Content Sniffing Protection allows browsers to ignore the server's declared file type and "guess" the MIME type based on a file's content, creating a vulnerability where a browser can execute a harmless-looking file (like an image or text file) as a malicious script. This oversight significantly increases the risk of Cross-Site Scripting (XSS) and drive-by download attacks.

            Threat Scenarios

            An attacker uploads a malicious JavaScript payload disguised as a harmless .png or .txt file to a Salesforce Case or Experience Cloud portal. Without content sniffing protection enabled, an unsuspecting user's browser "guesses" the file's true nature and executes the hidden script, allowing the attacker to silently steal the user’s active session cookies and exfiltrate sensitive data.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            N/A

            Higher Risk When

            The risk of MIME sniffing is significantly compounded by a lack of a robust Content Security Policy (CSP), which would otherwise serve as a secondary defense to block the execution of unauthorized scripts.

            Low or No Risk When

            To offset the absence of content sniffing protection, organizations should implement a strict Content Security Policy (CSP) that explicitly blocks the execution of unauthorized or inline scripts, acting as a secondary firewall against "sniffed" payloads.

            Also, deploying automated malware and file-type scanning for all uploads ensures that malicious files—scripts disguised as images—are intercepted and neutralized before a browser ever has the chance to misinterpret them.

            Business and Integration Considerations

            N/A

            Recommended Remediation

            Enable content sniffing protection.

            Security Health Review Guidance

            Security Health Review inspects the Session Settings configuration to verify Content Sniffing Protection is enabled, aligning with industry best practice.

            See Also

             
            Loading
            Salesforce Help | Article