Referer URL Protection Control

Control Name

Referrer URL Protection

Recommended Configuration

• HTTP Referrer Policy - Select "strict-origin-when-cross-origin"

Setup>Session Settings>Referrer URL Protection>Include Referrer-Policy HTTP Header>HTTP Referrer Policy>Strict-Origin-When-Cross-Origin.

Control Overview

The Referrer URL Protection control in Salesforce (found under Session Settings) enables the Referrer-Policy HTTP header to regulate the amount of internal URL information shared with external websites when a user clicks a link or loads a resource. By selecting a secure policy such as "origin-when-cross-origin," the browser is instructed to provide only the Salesforce domain name to third-party sites, effectively masking sensitive data like Org IDs, record IDs, or session parameters contained in the full URL path.

Security Risk If Not Configured

Not enabling Referrer URL Protection increases the risk of sensitive metadata leakage, as the browser may send the full Salesforce URL—including Org IDs, Record IDs, and private parameters—to external web servers whenever an outbound link is clicked or a third-party resource is loaded. This exposure allows external actors to log and analyze your internal data structures, which can be exploited for targeted phishing, social engineering, or mapping out protected internal record hierarchies.

Threat Scenarios

An employee clicks an external link while viewing a sensitive financial record, causing the browser to send the full Salesforce URL—including the unique Record ID—to the destination web server's logs. A threat actor monitoring those logs uses this metadata to identify your internal record structures and launch a targeted spear-phishing attack that specifically references the private record the user was just accessing.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

The primary risk impact is the unauthorized leakage of internal company identifiers and record-level metadata to external entities.

Higher Risk When

The risk of metadata leakage is significantly amplified by the lack of warning or blocking External Redirection policy, which allows users to navigate directly to untrusted third-party sites without any alert that their session information is being shared.

Low or No Risk When

To minimize the risk of metadata leakage when global Referrer URL Protection is not fully enabled, organizations can implement Trusted URLs for Redirects to block or warn users before they navigate to untrusted external domains.

Business and Integration Considerations

Implementing strict Referrer URL Protection can disrupt external analytics, marketing trackers, or legacy third-party integrations that rely on parsing the full Salesforce URL path to identify specific records or maintain context during cross-domain navigation.

Recommended Remediation

Enable the HTTP Referrer Policy with strict origin when cross origin.

Security Health Review Guidance

Security Health Review inspects the Session Settings for Session Settings Referrer Policy to be configured with Strict-Origin - When-Cross-Origin to align with industry best practice.