Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Manage Trusted URL Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Manage Trusted URL Control

            Specify the URLs that you trust to interact with your users and network.

            Control Name

            Manage Trusted URL and CSP Settings

            Recommended Configuration

            • Specify the trusted URLs and Domains that interact with users and network.
            • Define CSP Context for All

            Setup>Trusted URLs>New Trusted URLs>CSP Settings.

            Control Overview

            Specify the URLs that you trust to interact with your users and network. Use Content Security Policy (CSP) directives to control the types of resources that Lightning components, third-party APIs, and WebSocket connections can load from each trusted URL.

            Security Risk If Not Configured

            Without properly configured Trusted URLs and CSP settings, a Salesforce environment is highly susceptible to Cross-Site Scripting (XSS) and data exfiltration, as malicious external scripts or unauthorized API endpoints can interact with the platform unchecked.

            Threat Scenarios

            An attacker exploits a Cross-Site Scripting (XSS) vulnerability to inject a malicious script that silently scrapes sensitive record data and session tokens directly from a user's browser. Because the environment lacks a strictly defined Content Security Policy (CSP) and Trusted URLs, the platform fails to block the script's attempt to exfiltrate this stolen data to an unauthorized external command-and-control server.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Data hosted by the Trusted URL.

            Higher Risk When

            The risk of incorrect Trusted URL and CSP configurations is significantly elevated by a lack of secure coding practices, such as failing to sanitize user inputs or properly encode outputs in custom components.

            Additionally, a lack of active monitoring for CSP violation logs and the absence of Lightning Web Security (LWS) leave the organization unable to detect or isolate malicious scripts that successfully bypass weakened browser-level defenses.

            Low or No Risk When

            To minimize the risks associated with missing or misconfigured Trusted URLs and CSP settings, organizations should enforce Lightning Web Security (LWS) or Lightning Locker to provide a secure sandbox that isolates custom components and prevents cross-namespace data access.

            Additionally, implementing Multi-Factor Authentication (MFA) and rigorous secure coding practices—such as mandatory output encoding and regular static code analysis—serves as a critical "defense-in-depth" layer to block malicious scripts and prevent unauthorized data exfiltration.

            Business and Integration Considerations

            Integration with external sites.

            Recommended Remediation

            Configure and enable Trusted URL for external site connection.

            Security Health Review Guidance

            Security Health Review inspects the Trusted URL set up in the platform to help identify potential ineffective Trusted URL setup such as overly permissive URL that uses wildcards or URL with insecure protocol (HTTP).

            See Also

             
            Loading
            Salesforce Help | Article