Prohibits framing of Classic pages delivered by Salesforce. For native pages, these settings are enabled by default and can only be disabled by contacting Salesforce Customer Support.
Step 1: Understand Clickjack Protection Settings
Salesforce offers clickjack protection settings that help safeguard your org against such attacks. These settings are specifically designed to protect against malicious attempts to overlay Salesforce pages within an iframe.
Step 2: Navigate to Session Settings
Go to Setup in Salesforce.
Enter Session Settings in the Quick Find box, then select Session Settings.
Step 3: Enable Clickjack Protection
In the Session Settings page, scroll down to find the Clickjack Protection section.
You will see multiple options for clickjack protection:
Make sure to check the box next to Enable clickjack protection for Setup pages (recommended). This setting is crucial as it specifically protects the Setup pages within Salesforce, which are often targeted due to their sensitive nature and administrative capabilities.
Step 4: Save Your Changes
After checking the appropriate box, scroll to the bottom of the page and click Save. This action applies the clickjack protection settings to your Salesforce org's Setup pages.
Step 5: Test the Configuration
It's a good practice to test the configuration changes in a sandbox environment before applying them in production. Ensure that the functionality of your Salesforce org remains intact and that legitimate iframes you might be using are not adversely affected.
Step 6: Communicate with Your Team
Inform your team about the change, especially if you have custom Visualforce pages or integrations that might be impacted. Ensure developers are aware of the clickjack protection settings so they can adjust any custom development work accordingly.
Step 7: Monitor and Review
Regularly review your security settings, including clickjack protection, to ensure they remain aligned with your org's security needs and Salesforce best practices. Salesforce periodically updates its security features, so staying informed helps you maintain a secure org.
By following these steps, Salesforce Admins can enhance their org’s security posture by enabling clickjack protection for Setup pages, thereby safeguarding against malicious iframe overlays and ensuring that administrative functionalities are securely protected.
Prohibits framing of Classic pages delivered by Salesforce. These settings are enabled by default and can only be disabled by contacting Salesforce Customer Support.
Step 1: Understand Clickjack Attacks
First, understand what clickjacking entails: it's a technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information or allowing control to be taken over their computer. Salesforce setup pages contain sensitive configuration settings, making them prime targets.
Step 2: Review Salesforce's Clickjack Protection Settings
Salesforce provides clickjack protection settings that can be enabled for standard Salesforce pages, including Setup pages. Although enabling these settings is typically an admin task, as a developer, you should be aware of these settings and advocate for their use.
Step 3: Secure Custom Applications
For custom applications, especially those using Visualforce, ensure you're implementing your own clickjack protection measures if necessary. This might involve setting X-Frame-Options and Content Security Policy (CSP) headers to prevent your pages from being framed.
// Example of a simple CSP policy in an Apex controller for a Visualforce page
public class MyController {
public void setHeaders() {
ApexPages.currentPage().getHeaders().put('Content-Security-Policy', "frame-ancestors 'self'");
}
}
Step 4: Educate and Advocate for Best Practices
As a developer, part of your role is to advocate for and implement best practices in security. Educate your team on the importance of clickjack protection and ensure that any custom development work you do does not inadvertently lower the org's security posture.
Step 5: Regular Security Reviews
Regularly review custom applications for vulnerabilities, including susceptibility to clickjacking. Use tools like Salesforce's Security Health Check and external security scanning tools to identify potential weaknesses.
By taking these steps, Salesforce developers play a crucial role in complementing the security measures implemented by Salesforce Admins, ensuring comprehensive protection against clickjack attacks for both standard and custom Salesforce pages.
