Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Secure Connections (HTTPS) Settings Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Secure Connections (HTTPS) Settings Control

            This multi-layered control framework strengthens session integrity by enforcing continuous IP validation for every request and shielding session tokens from unauthorized script access via the HTTPOnly attribute.

            Control Name

            Secure Connections (HTTPS) Settings

            Recommended Configuration

            • Enable Force Relogin After Login-As-User
            • Enable Require HTTPOnly Attribute
            • Enforce login IP ranges on every request
            • Enable Use Post Request to send session information for cross-domain sessions

            Setup>Session Settings>Force Relogin After Login-As-Use|Require HTTPOnly Attribute|login IP ranges on every request|Use Post Request to send session information for cross-domain sessions.

            Control Overview

            This multi-layered control framework strengthens session integrity by enforcing continuous IP validation for every request and shielding session tokens from unauthorized script access via the HTTPOnly attribute. Furthermore, it prevents session leakage during cross-domain navigation by using POST requests and ensures administrative accountability by requiring a fresh login immediately following any "Login-As" session.

            Security Risk If Not Configured

            Failure to turn on these controls exposes sessions via Cross-Site Scripting (XSS) attacks and URL leakage during cross-domain navigation, significantly increasing the risk of session hijacking. Furthermore, the organization faces unauthorized access persistence if users move to untrusted networks mid-session or if administrators maintain active sessions after impersonating users without re-authentication.

            Threat Scenarios

            An attacker exploits a cross-site scripting (XSS) vulnerability to steal a session cookie that lacks HTTPOnly protection, then seamlessly maintains access from an untrusted network because the system fails to re-verify the user's IP address on every request. Meanwhile, sensitive session IDs are leaked through browser logs during cross-domain navigation, and a hijacked admin account remains active and unchallenged long after a "Login-As" session has concluded.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            The number of users, various profiles assigned to the users and data or objects to which each profile has access.

            Higher Risk When

            The risk of leaving these settings disabled is significantly heightened by a lack of a robust Content Security Policy (CSP), which leaves the system vulnerable to scripts that can easily scrape session cookies if the HTTPOnly attribute is missing.

            Low or No Risk When

            To mitigate the risks when these specific session security settings are not enabled, you can implement a "Defense-in-Depth" strategy using these compensatory controls:

            • Mandatory Multi-Factor Authentication (MFA): Even if a session ID is leaked via a URL (missing POST) or stolen via a script (missing HTTPOnly), an attacker will still be challenged for a second factor if they attempt to perform high-risk actions or re-establish access.
            • Stricter Session Timeouts: If you aren't forcing a relogin after a "Login-As" session, reducing the global session timeout (for example, to 15 or 30 minutes) limits the window of opportunity for an unattended or hijacked session to remain valid.
            • Profile-Level Login IP Ranges: While "enforce on every request" is ideal, setting strict IP ranges at the Profile level still makes sure that the initial session can only be established from a trusted network.
            • Robust Content Security Policy (CSP): A well-configured CSP can prevent malicious scripts from executing in the first place, which significantly reduces the danger of not having the HTTPOnly attribute on your cookies.
            • Strict Input Sanitization & Output Encoding: By preventing Cross-Site Scripting (XSS) at the code level (LWC/Aura components), you remove the primary method an attacker would use to steal session tokens that lack HTTPOnly protection.

            Business and Integration Considerations

            Implementing these controls significantly boosts security, but frequent re-logins after support sessions can disrupt mobile users if their IP addresses rotate during a session.

            Recommended Remediation

            Implement secure connection settings on the platform.

            Security Health Review Guidance

            Security Health Review inspects whether the Secure connection settings are enforced in the org to secure the sessions.

            See Also

             
            Loading
            Salesforce Help | Article