Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Security: Require Secret for Web Server Flow Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Security: Require Secret for Web Server Flow Control

            This security setting mandates that the web server or application must provide a unique client secret to Salesforce to complete the exchange of an authorization code for an access token.

            Control Name

            External Client Apps: Security: Require secret for Web Server Flow

            Recommended Configuration

            Require secret for Web Server Flow.

            Control Overview

            This security setting mandates that the web server or application must provide a unique client secret to Salesforce to complete the exchange of an authorization code for an access token.

            Security Risk If Not Configured

            Without a required secret, the web server flow relies solely on the authorization code, which can be intercepted through browser history, referrer headers, or log files and later exchanged for a session by an unauthorized actor.

            Threat Scenarios

            An attacker captures a valid authorization code from a user's redirect URI and successfully impersonates the application to request an access token because the Salesforce endpoint does not require secondary server-side authentication.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Permitting secret-less web server flows allows for widespread session hijacking and unauthorized data access, as the identity of the requesting application is never cryptographically or administratively verified during the token exchange.

            Higher Risk When

            If the application is hosted on a shared domain or uses an unencrypted redirect URI, providing multiple vectors for an attacker to observe and steal the authorization code in transit.

            Low Risk When

            If the application already enforces Proof Key for Code Exchange (PKCE) for every transaction, as this binds the authorization code to a high-entropy verifier that is unknown to the attacker.

            Business and Integration Considerations

            Enabling this requirement makes sure that secrets remain protected on the back-end server, but it requires that the application architecture is capable of securely storing and transmitting the secret without exposing it to the client-side browser.

            Recommended Remediation

            Go to the OAuth settings of the External Client App and select the checkbox to require the client secret for the web server flow.

            Security Health Review Guidance

            Security Health Review identifies the mandatory use of a client secret for server-side flows as a fundamental defense-in-depth standard, so that sensitive authorization codes cannot be weaponized without a secondary, private credential.

            See Also

             
            Loading
            Salesforce Help | Article