You are here:
CORS Allowlist Control
The Salesforce CORS (Cross-Origin Resource Sharing) allowlist is a security control that enables administrators to specify trusted external domains permitted to perform cross-origin requests to Salesforce APIs and resources.
Control Name
CORS Allowlist
Recommended Configuration
- Allowed Origins List - To allow code (such as JavaScript) running in a Web browser to communicate with Salesforce from a specific origin, add the origin to the allowed list.
Setup>CORS>New>Origin URL Pattern.
Control Overview
The Salesforce CORS (Cross-Origin Resource Sharing) allowlist is a security control that enables administrators to specify trusted external domains permitted to perform cross-origin requests to Salesforce APIs and resources. By explicitly authorizing only these origins, the platform allows web browsers to securely interact with Salesforce data from external applications while blocking all unauthorized third-party domains.
Security Risk If Not Configured
The lack of a properly configured Salesforce CORS (Cross-Origin Resource Sharing) allowlist exposes the organization to unauthorized data access and cross-site scripting (XSS) vulnerabilities by allowing untrusted external domains to initiate requests to Salesforce APIs or Lightning resources.
Threat Scenarios
An attacker hosts a malicious website that executes a script in the browser of a user who has an active Salesforce session. Because the CORS allowlist is overly permissive or misconfigured, the browser permits the malicious site to make unauthorized API calls to Salesforce, allowing the attacker to silently exfiltrate sensitive data or perform actions as the authenticated user.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Connected App or External Client App Scope.
Higher Risk When
The risk of an ineffective CORS allowlist is significantly amplified by a lack of governance over third-party applications that can then exploit permissive origin settings to scrape data.
Additionally, a weak Content Security Policy (CSP) or the absence of Lightning Web Security creates a dangerous synergy where malicious scripts can be easily loaded into the UI and then use the ineffective CORS boundaries to exfiltrate sensitive information directly from the user's browser.
Low or No Risk When
To minimize the risk of an ineffective CORS allowlist, organizations should implement API Access Control to restrict which connected apps and users can access Salesforce data, ensuring that only authorized identities can make requests regardless of the origin.
Additionally, a robust Content Security Policy (CSP) and Lightning Web Security (LWS) provide critical defense-in-depth by restricting where the browser can send data and isolating components to prevent malicious scripts from accessing session tokens or making unauthorized cross-origin calls.
Business and Integration Considerations
Integration with external app, API Scope.
Recommended Remediation
Enable CORS allow list and periodically review the configuration.
Security Health Review Guidance
Security Health Review inspects the CORS allow lists to help identify ineffective CORS setup, such as allowing overly permissive CORS origin in the list.
