Enable HSTS Preloading on a Custom Domain
As a security best practice, enable and submit your custom domain for HTTP Strict Transport Security (HSTS) preloading. Connections can be vulnerable when HTTP requests are redirected to HTTPS. An example is a user attempting to access your custom domain using the HTTP protocol. By adding your registrable domain to the third-party HSTS preload list, supported browsers always use HTTPS, protecting your users from attacks during those HTTP redirections.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Enterprise, Performance, and Unlimited Editions. |
| Applies to: Salesforce Sites and LWR, Aura, and Visualforce sites |
| User Permissions Needed | |
|---|---|
| To view a domain: | Manage Custom Domains OR View Setup and Configuration |
| To edit a domain: | Manage Custom Domains |
The Strict-Transport-Security HTTP header informs browsers to
always use HTTPS, a secure connection, to access the domain. However, the first time
a user accesses a domain, an HTTP-only connection can be vulnerable while the
browser interprets that instruction.
HSTS preloading helps to mitigate this issue. If your domain is on that list,
browsers that use the list always treat that domain as requiring a secure
connection. For a list of the browsers that support HSTS preloading, see https://hstspreload.org. To add your domain to the list, you enable the
Strict-Transport-Security HTTP header on
the registrable domain. Then you add that domain to the third-party HSTS preload
list.
example.com and example.co.uk are
eligible for HSTS preloading, but www.example.com, www.example.co.uk, and sub.example.com aren’t eligible.To enable HSTS on a custom domain that serves your site content, complete these steps.
-
Enable HSTS preloading on the
Strict-Transport-SecurityHTTP header for your custom domain’s registrable domain.-
If your domain in Salesforce is a registrable domain such as
https://example.com, select Allow HSTS preloading
registration on the domain. To access this setting, edit
your domain from the Domains Setup page.
When that setting is enabled, Salesforce includes the
preloaddirective in the HSTS header for your custom domain. -
If your domain in Salesforce includes a subdomain, complete the
prerequisites for the related registrable domain.
Examples of domains with a subdomain include https://www.example.com, https://shop.example.com, and https://shop.example.co.uk. In all three examples, the registrable domain is example.com.
You can find the prerequisites on https://hstspreload.org. To determine any steps required to qualify for HSTS preloading, use the form on that website. Salesforce can’t complete those prerequisites for you.
If your custom domain is a registrable domain and the Allow HSTS preloading registration option is enabled on your domain, Salesforce adds the required HTTP header. Otherwise, Salesforce can’t complete the prerequisites for your domain. -
If your domain in Salesforce is a registrable domain such as
https://example.com, select Allow HSTS preloading
registration on the domain. To access this setting, edit
your domain from the Domains Setup page.
-
To add your domain to the HSTS preload list, go to https://hstspreload.org, verify your domain’s eligibility, and then
submit your domain.
When your registrable domain is on the HSTS preload list, browsers that check that list always use HTTPS to access your domain and its subdomains.Note A third party defines and manages the HSTS preload list and its prerequisites. Salesforce can’t add your domain to the list for you.
MyDomainName.my.site.com in orgs
with enhanced domains and ExperienceCloudSitesSubdomain.force.com in orgs
without enhanced domains. The system-managed domain format for Salesforce Sites is
MyDomainName.my.salesforce-sites.com in orgs with
enhanced domains and SalesforceSitesSubdomain.force.com in orgs
without enhanced domains. No action is required to enable HSTS preloading on those
domains.