Loading
Salesforce now sends email only from verified domains. Read More
Experience Cloud
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable Clickjack Protection in Experience Cloud Sites

            You are here:

            1. Salesforce Help
            2. Docs
            3. Experience Cloud

            Enable Clickjack Protection in Experience Cloud Sites

            Clickjacking is a type of attack that tricks users into clicking something, such as a button or link, because they perceive it to be safe. By creating hidden iframes pointing to your Experience Cloud site pages, hackers can entice users to click an element that appears to be on a different web page. But instead of the visible element handling the click, the click is hijacked and some element of the invisible site iframe on top receives it. Clickjacking can potentially lead to data intrusion, unauthorized emails, changed credentials, or other malicious site-specific results. With clickjack protection, however, you can secure your site by controlling whether browsers allow frames pointing to your pages.

            Note
            Note To configure clickjack protection for Site.com sites, see Enable Clickjack Protection in Site.com.

            You can set clickjack protection for your Experience Cloud site pages to one of these levels.

            • Allow framing by any page (no protection): The least secure level. All external domains can frame your site pages.
            • Allow framing of site pages on external domains (good protection): Only trusted external domains can frame your site pages. You specify the domains that you trust in the Trusted Domains for Inline Frames list.
            • Allow framing by the same origin only (recommended): The default level for Experience Cloud sites. Allows framing of site pages by pages with the same domain name and protocol security.
            • Don’t allow framing by any page (most protection): The most secure level. However, for Salesforce Tabs + Visualforce sites and for Experience Builder sites, this option prevents pages in the Administration section of Experience Workspaces from opening. To avoid this issue, select a different clickjack protection level.
            Tip
            Tip The location for enabling clickjack protection differs for Experience Builder sites and Salesforce Tabs + Visualforce sites. If your site has a mixture of both Experience Builder and Visualforce pages, enable clickjack protection in both locations.

            Enable Clickjack Protection for Experience Builder Sites

            1. In Experience Builder, select Settings | Security & Privacy.
            2. Under Clickjack Protection Level, select a clickjack protection level.
            3. If you chose to allow framing of site pages external domains, specify the domains that you trust to frame your site. For each trusted domain, take these steps.
              1. In the Trusted Domains for Inline Framing section, click Add Trusted Domain.
              2. Enter the domain that can frame your site pages.

                You can add up to 100 trusted domains for each Experience Builder site.

                Tip
                Tip Added domains take effect only when Allow framing of site pages on external domains (good protection) is selected.

            Enable Clickjack Protection for Salesforce Tabs + Visualforce Sites

            1. To access the Site Details page, use one of these methods.
              • In Experience Workspaces, select Administration | Pages | Go to Force.com
              • From Salesforce Setup, enter Sites and Domains in the Quick Find box, select Sites, and select the site from the Sites list.
            2. Click Edit on the Site Details page.
            3. Select your preferred level of clickjack protection and save your changes.
            4. If you chose to allow framing of your site pages on your external domains, specify the domains that you trust to frame your page. For each domain, take these steps.
              1. In the Trusted Domains for Inline Framing section, click Add Domain.
              2. Enter the domain that can frame your site pages.

                You can add up to 512 trusted domains for each Salesforce Tabs + Visualforce site.

                Tip
                Tip Added domains take effect only when Allow framing of site pages on external domains (good protection) is selected.
            Note
            Note Internet Explorer supports clickjack protection through the legacy X-Frame-Options HTTP Header only. This header supports sameorigin, deny (none), allowall, and allow-from uri. In particular, allow-from uri supports only one URI.

            To support a list for IE users, the framing site must identify itself to the site domain by passing in a query parameter in the iframe tag. For example, if you add https://example.com as a trusted external domain, then the page on https://example.com must make its iframe as follows:

            <iframe src="https://MyDomainName.my.site.com?_iframeDomain=https://example.com"></iframe>

            You can also set the trusted external domain in the iframeDomain cookie. This method allows iframes if the _iframeDomain URL variable isn’t saved when navigating between pages in IE.

            Cookie iframeDomainCookie = ApexPages.currentPage().getCookies().get('iframeDomain');

if (iframeDomainCookie == null) {
    iframeDomainCookie = new Cookie('iframeDomain','www.example.com');

    // Set the new cookie for the page
    ApexPages.currentPage().setCookies(new Cookie[]{iframeDomainCookie});
}
             
            Loading
            Salesforce Help | Article