Configure Clickjack Protection
Clickjacking is a type of attack that tricks users into clicking something, such as a button or link. The click sends an HTTP request that performs malicious actions that can lead to data intrusion, unauthorized emails, changed credentials, or similar results. To help protect against this kind of attack, most Salesforce pages can only be served in an inline frame by a page on the same domain. Learn which types of pages can be framed and how to configure the related clickjack settings.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions |
Clickjack Protection
Clickjacking uses a trusted domain or site to trick users into clicking a malicious link. With clickjacking, the trusted domain is served in an iframe, then a hidden or transparent UI control is served in the same location. For example, a transparent button on top of the Save button. The user thinks that they’re clicking the top-level iframe when they’re really clicking the hidden UI control.
To protect your users, Salesforce uses clickjack protection. For pages that Salesforce
serves, clickjack protection is implemented through the Content Security Policy (CSP)
frame-ancestors HTTP response header directive. An HTTP response header
is part of the HTTP response passed from a server to a browser or client machine in response
to an HTTP request. Within that header, a directive is a value that provides additional
context or instructions. The CSP frame-ancestors HTTP response header
directive tells the browser which sites are allowed to load the page in an iframe.
Salesforce applies the CSP frame-ancestors HTTP response header directive
to the pages that Salesforce serves when that directive is supported. To expand clickjack
protection to more users, you can include that directive in the rare cases when Salesforce
can’t identify whether the requesting app or specialized browser supports the directive. For
more information, see Apply Clickjack Protection to Less Common Browsers.
Three CSP frame-ancestors values apply in Salesforce. The page type
determines whether that HTTP response header is present by default and which of these
options are available within the header.
'none'—prevents loading this page in an iframe.'self'–pages from the same origin as the protected page, including the same URL scheme and port number, can load this page in an iframe.- A list of domains—the domains that can load this page in an iframe. The list can include
wildcards. For example,
*.force.com. Usually, this option is combined with the'self'value.
frame-ancestors header directive replaces the obsolete
X-Frame-Options header. For more information, see X-Frame-Options on the Mozilla Developer
Network.CSP Header Size
Some infrastructure limits the maximum size of HTTP headers. If you allow multiple domains to frame content served by your org, keep the size of the CSP header under 12 KB. Salesforce customers report issues when the header size approaches 16 KB, and third parties often add to the header during processing.
Salesforce Login Pages
External sites can’t frame Salesforce login pages, including generic login pages, such as
https://login.salesforce.com. Also, external sites can’t frame your
org’s My Domain login page, such as
https://mycompany.my.salesforce.com. For these pages, the CSP
frame-ancestors HTTP response header is set to 'none',
and you can’t change the HTTP response header.
Lightning Pages
Lightning pages delivered by Salesforce as part of the Platform can frame Lightning pages
within the same org. The URLs for these pages contain
lightning.force.com and a unique identifier in the form of a 16-digit
number. For these pages, the CSP frame-ancestors HTTP response header is
set to 'self', and you can’t change the HTTP response header directive.
For details on clickjack protection options for your Experience Cloud site’s Lightning page, see the section of this topic on Experience Cloud sites.
Salesforce Classic Pages
External sites can’t frame pages built in Salesforce Classic and delivered by Salesforce. Examples of Salesforce Classic Pages include Setup pages and the pages for Salesforce objects, such as the Account detail page. Although users can view these pages in Lightning mode, the pages were built using Salesforce Classic.
Two Session Settings prohibit framing of Classic pages delivered by Salesforce: Enable clickjack protection for Setup pages and Enable clickjack protection for non-Setup Salesforce pages. These settings are enabled by default and can’t be disabled. To disable these settings, contact Salesforce Customer Support.
Visualforce Pages
By default, Visualforce pages can be loaded in an iframe. For Visualforce pages with
headers, the CSP frame-ancestors HTTP response header directive is
absent.
To prevent external websites from loading your Visualforce pages in an iframe, define the external domains that you trust to frame your Visualforce pages, and then enable two session settings. For more information, see Enable Clickjack Protection for Visualforce Pages and Specify Trusted Domains for Inline Frames in Salesforce Help.
Because browsers block third-party cookies, framing an authenticated Visualforce page requires additional steps. See Put Visualforce Pages on External Domains in the Visualforce Developer Guide.
Experience Cloud Sites
By default, Experience Cloud site pages can frame other site pages with the same domain and
protocol security. The CSP frame-ancestors HTTP response header directive
for these pages is set to 'self'.
You can allow trusted external domains to frame your site pages through page-level settings. For Experience Builder site pages, clickjack settings are in the Security & Privacy settings. For Salesforce Tabs and Visualforce Sites, clickjack settings are in the page administration for Force.com sites in Experience Workspaces.
For more information, see Enable Clickjack Protection in Experience Cloud Sites in Salesforce Help.
Salesforce Sites and Force.com Sites
By default, a page within Salesforce Sites and Force.com Sites can frame other site pages
with the same domain and protocol security. The CSP frame-ancestors HTTP
response header directive for these pages is set to 'self'.
You can allow trusted external domains to frame your site pages through page-level site configuration settings. To set the clickjack protection level and trusted domains for each page, edit the configuration in Site.com Studio. For more information, see Enable Clickjack Protection in Site.com in Salesforce Help.
Surveys
By default, Surveys can be framed by pages with the same domain and protocol security. The
CSP frame-ancestors HTTP response header directive is set to
'self'.
Optionally, you can define the external domains that you trust to frame the surveys for your org. For more information, see Specify Trusted Domains for Inline Frames in Salesforce Help.
Disclosure and Compliance Hub Connector
By default, Disclosure and Compliance Hub Connector can be framed by pages with the same
domain and protocol security. The CSP frame-ancestors HTTP response header
directive is set to 'self'.
Optionally, you can define the external domains that you trust to frame the Disclosure and Compliance Hub Connector for your org. For more information, see Specify Trusted Domains for Inline Frames in Salesforce Help.
