Loading
Salesforce now sends email only from verified domains. Read More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Enable Clickjack Protection for Visualforce Pages

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Enable Clickjack Protection for Visualforce Pages

            To help protect against clickjack attacks, prevent external sites from loading your Visualforce pages in an inline frame (iframe). Optionally, you can allow trusted external sites to frame your Visualforce pages.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To modify session security settings: Customize Application
            1. Allowlist domains that currently frame your Visualforce pages.

              To preserve existing functionality, complete this steps before you enable clickjack protection for Visualforce pages.

              Add each domain that you trust to the Trusted Domains for Inline Frames allowlist in Session Settings. If you use custom domains or managed packages, include those domains in the allowlist as well. For more information, see Specify Trusted Domains for Inline Frames in Salesforce Help.

            2. From Setup, in the Quick Find box, enter Session Settings, and then select Session Settings.

              The two settings under Clickjack Protection for Visualforce pages refer to whether headers are enabled. The apex:page field showHeader indicates whether headers are enabled on a page.

            3. To allow other Visualforce pages to frame Visualforce pages with headers enabled, select Enable clickjack protection for customer Visualforce pages with standard headers.
            4. To allow other Visualforce pages to frame Visualforce pages with headers disabled, select Enable clickjack protection for customer Visualforce pages with headers disabled.
            5. Save your changes.
              When you save your session settings with at least one of the options enabled, the CSP frame-ancestors HTTP response header for the corresponding Visualforce pages is set to 'self'. And any trusted domains for inline frames for Visualforce pages included in the same HTTPS response header.

            See Also

             
            Loading
            Salesforce Help | Article