Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Web App Settings: Verify Request Signatures - Select Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Web App Settings: Verify Request Signatures - Select Control

            This security setting mandates that the platform validates the digital signature of every incoming SAML or OAuth request against a trusted public certificate to ensure that the sender is authentic.

            Control Name

            Connected Apps: Web App Settings: Verify request signatures - Select

            Recommended Configuration

            Web App Settings: Verify request signatures - Select.

            Control Overview

            This security setting mandates that the platform validates the digital signature of every incoming SAML or OAuth request against a trusted public certificate to ensure that the sender is authentic.

            Security Risk If Not Configured

            Failure to verify app request signatures for connected web apps lead to a risk of data tampering and unauthorized system changes via unvalidated requests that have been intercepted or modified.

            Threat Scenarios

            An attacker intercepts an unencrypted authentication request and modifies the user identifier or permission claims to gain elevated access before the request reaches the Salesforce service provider endpoint.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to enforce signature verification facilitates the execution of unauthorized administrative actions and the potential exfiltration of sensitive records through manipulated integration parameters.

            Higher Risk When

            When the connected application processes high-value financial transactions or when the organization permits the use of insecure HTTP channels for transmitting authentication metadata.

            Low Risk When

            If the organization uses a certificate authority to issue short-lived signing keys and enforces mutual transport layer security for all API-level communication.

            Business and Integration Considerations

            Implementing signature verification ensures the non-repudiation of all incoming requests, although it requires the external service provider to possess the computational overhead necessary to sign every outbound payload.

            Recommended Remediation

            Go to the Web App Settings for the Connected App and select the checkbox to Verify Request Signatures while ensuring the correct verification certificate is active.

            Security Health Review Guidance

            Security Health Review identifies the verification of request signatures as a strongly recommended standard to protect against request-replay and message-alteration attacks within federated identity environments.

            See Also

             
            Loading
            Salesforce Help | Article