Print this page

Configure File Upload and Download Security Settings

Knowledge Article Number 000193434
Description For security reasons, your organization may want to configure the way some file types are handled during upload and download. 
Resolution This feature is available in All Editions except
As per the documentation, this feature should require the "Customize Application" user permissions however, visibility of this in setup is actually controlled by the "Manage Users" permission instead.  For more details please see the Access to the "File Upload and Download Security" setup section is controlled by the "Manage Users" profile permission Known Issue.

To manage file upload and download settings:

1. Click Setup | Click Security Controls | File Upload and Download Security.

Note: The File Upload and Download Security page replaces another security settings page: HTML Documents
and Attachments Settings.

2. Click Edit.

3. To prevent users from uploading files that may pose a security risk, select Don't allow HTML uploads as attachment or document records. This security setting, if enabled, blocks users from uploading files with these extensions: .html, .htt, .mht, .svg, and .thtml.

Warning: Keep the following in mind when selecting Don't allow HTML uploads as attachment or document records:

• Do not enable this setting if your organization uses the partner portal to give your partner users access to Salesforce.
• HTML attachments are not permitted on solutions, regardless of whether this security setting is enabled. In addition, this setting does not affect attachments on email templates; HTML attachments on email templates are always permitted.
• After this setting is enabled, previously-uploaded HTML documents and attachments are unaffected. However, when users attempt to view an HTML attachment or document, their browser first prompts them to open the file in the browser, save it to their computer, or cancel the action.

4. Set download behavior for each file type.

• Download (recommended)—The file, regardless of file type, is always downloaded.
• Execute in Browser—The file is displayed and executed automatically when accessed in a browser or through an HTTP request.
• Hybrid—Attachments and document records execute in the browser. Salesforce CRM Content files and Chatter files are downloaded.

File types are defined by MIME types. This table specifies the file extensions associated with each MIME type:

File Type(MIME Type)Associated File Extensions
.doc.doc, .dot
.exe.exe, .wrf
.mpeg.mpeg, .mpg
.ppt.ppt, .pps, .pot
.thtml.acgi, .htm, .htx, .shtm, .shtml, .thtml
.xls.xls, .xlt

5. Click Save.

The following file are now downloaded by default:

File Type (MIME Type)Associated File Extensions
.exe.exe, .wrf
.mht.mht, .mhtm, .mhtml
.thtml.acgi, .htm, .htx, .shtm, .shtml, .thtml

Administrators can Configure File Upload and Download Security Settings to change the default behavior.

promote demote