Salesforce Sites Security

All authenticated access requires HTTPS. Users logging into a site with a non-secure (HTTP) site URL are redirected to a secure (HTTPS) URL. To set restrictions based on IP or login hours, HTTPS is required.

Salesforce requires HTTPS connections to all sites and automatically upgrades HTTP requests. If you’re using a custom domain to serve a site, to ensure connectivity, we recommend that you select one of the options to serve your domain over HTTPS. Only select the Use a temporary non-HTTPS domain option if you’re configuring your domain before it can be secured with HTTPS. For example, to configure DNS or add a subdomain whose CNAME points to another service.

These behaviors and sharing settings affect users accessing sites.

Warning

• We recommend setting the default external access to Private for the objects on which you grant “Read” access for your site on the Sharing Settings Setup page. This ensures that users accessing your site can view and edit only the data related to your site.
• We also recommend securing the visibility of all list views. Set the visibility of your list views to Visible to certain groups of users, and specify the groups to share to. List views whose visibility is set to Visible to all users may be visible to public users of your site. To share a list view with public users, create a new public group for those users and give them visibility. If the object's sharing is set to private, public users won't be able to see those records, regardless of list view visibility.

• For custom domains with the Use a temporary non-HTTPS domain HTTPS option selected, if users connect using HTTP instead of HTTPS, they can experience a connection timeout.
• If a user opens a custom domain with the Use a temporary non-HTTPS domain HTTPS option selected, we attempt to redirect the user to the site's preferred HTTPS custom domain. If the site doesn’t have a preferred HTTPS custom domain, the user is redirected to the org's my.salesforce-sites.com domain. In sandboxes and Developer Edition orgs, the org's my.salesforce-sites.com domain is used. For example, you registered www.example.com as an HTTP-only custom domain. When the URL is upgraded to HTTPS and no HTTPS-capable custom domains are linked to the site, the URL changes to https://MyDomainName.my.salesforce-sites.com. For more information, see Managing Salesforce Sites Login and Registration Settings.
• Authenticated and non-authenticated users may see different error messages for certain conditions—for example, on Apex exceptions.
• Cache settings on static resources are set to private when accessed via a Salesforce Site whose guest user's profile has restrictions based on IP range or login hours. Sites with guest user profile restrictions cache static resources only within the browser. Also, if a previously unrestricted site becomes restricted, it can take up to 45 days for the static resources to expire from the Salesforce cache and any intermediate caches.
• Guest users aren’t owners of records they create in Salesforce Sites. Instead, when a guest user creates a record in a Salesforce Site, the record’s ownership is assigned to the site’s default record owner.