Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Headless Identity for Customers and Partners Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Headless Identity for Customers and Partners Control

            Secures the backend API handshake for custom login UIs.

            Control Name

            Headless Identity for Customers and Partners

            Recommended Configuration

            Headless Identity allows developers to use Salesforce as a robust back-end identity engine while hosting the login and registration user interfaces on their own external servers or custom applications.

            Control Overview

            Secures the backend API handshake for custom login UIs.

            Security Risk If Not Configured

            When not using headless architecture for custom apps, developers often resort to insecure methods like "iframing" standard Salesforce pages or using less secure browser redirects that are more vulnerable to clickjacking and cross-site scripting (XSS).

            Threat Scenarios

            An attacker exploits a vulnerability in a legacy browser redirect flow to intercept authorization codes or session cookies, a risk that is significantly reduced when using the more secure, server-to-server communication found in headless "Authorization Code and Verifier" flows.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Relying on traditional front-end redirects for high-scale custom applications can lead to a fragmented security posture where the authentication "handshake" is visible and vulnerable to client-side manipulation.

            Higher Risk When

            The risk is higher when building custom mobile apps or Single Page Applications that require high-grade security but can’t natively support the standard Salesforce web-based login experience without degrading the user's security context.

            Low Risk When

            Standard, built-in Experience Cloud templates are used instead of custom-built front ends, as those templates already include built-in Salesforce protections for redirects and session handling.

            Business and Integration Considerations

            Implementing Headless Identity requires advanced development expertise in OAuth 2.0 flows and the ability to build and maintain a custom front-end UI that communicates with Salesforce via the Headless Identity APIs.

            Recommended Remediation

            Configure the Headless Registration and Login Discovery handlers in Salesforce and update your external application to use the Headless Identity API for all authentication requests.

            Security Health Review Guidance

            Security Health Review identifies Headless Identity as an API-first security model that provides the flexibility of a custom user experience without sacrificing the rigorous back-end security standards of the Salesforce platform.

            See Also

             
            Loading
            Salesforce Help | Article