Protect against clickjack attacks and allow framing on trusted external domains. Standard headers are disabled when the showHeader attribute is set to false.
Step 1: Understand Clickjack Protection Settings
Salesforce offers clickjack protection settings to prevent malicious websites from embedding Salesforce pages. Understanding these settings is the first step in securing your org.
Step 2: Access Session Settings
Navigate to the Session Settings in Salesforce Setup to find clickjack protection options.
Go to Setup > In the Quick Find box, enter Session Settings > Select Session Settings.
Step 3: Enable Clickjack Protection
In the Session Settings, look for the Clickjack Protection section. You will find options to enable clickjack protection for both Setup and non-Setup pages.
To protect non-Setup Salesforce pages, ensure the option for Enable clickjack protection for non-Setup Salesforce pages is checked. This setting prevents your Salesforce pages from being framed by external sites, mitigating the risk of clickjacking attacks.
Step 4: Consider Setup Pages Protection
While focusing on non-Setup pages, it’s also a good practice to review and enable clickjack protection for Setup pages if it hasn’t been done already. This adds an extra layer of security by protecting critical Setup pages from being embedded maliciously.
Check the option for Enable clickjack protection for Setup pages to secure your configuration settings.
Step 5: Test Your Configuration
After enabling clickjack protection, test your Salesforce org’s functionality to ensure that legitimate integrations or customizations are not adversely affected. Some integrations or custom pages may rely on framing Salesforce pages, so it’s important to verify that everything works as expected.
Step 6: Communicate Changes
Inform your users and any stakeholders about the change, especially if it might impact custom integrations or how they use Salesforce. Providing information on why the change was made can help in understanding its importance.
Step 7: Monitor and Review
Regularly monitor your org’s security settings and review them to ensure that clickjack protection remains enabled. Salesforce releases updates that can sometimes alter configurations, so staying vigilant is key.
By enabling clickjack protection for non-Setup Salesforce pages, you’re taking a significant step towards securing your Salesforce environment from clickjacking attacks. Regularly reviewing these settings as part of your security maintenance routine ensures ongoing protection for your org and its users.
Protect against clickjack attacks and allow framing on trusted external domains. Standard headers are disabled when the showHeader attribute is set to false.
Step 1: Understand Clickjack Protection
Firstly, understand that clickjack protection prevents malicious sites from embedding Salesforce pages, which could trick users into performing unintended actions. Salesforce enables this protection through X-Frame-Options and Content Security Policy (CSP) headers.
Step 2: Collaborate with Your Admin
Work with your Salesforce Admin to ensure clickjack protection is enabled for non-Setup pages. If it’s not enabled:
Discuss the security risks with your admin and the importance of enabling clickjack protection for safeguarding the org.
Step 3: Assess Impact on Custom Integrations
Review your custom integrations and Visualforce pages. Check if any functionality relies on embedding Salesforce pages in iframes, which clickjack protection would impact.
Step 4: Update Custom Applications
For custom applications that are affected by enabling clickjack protection, update your code to comply with the security measures. This could mean redesigning how your application interacts with Salesforce data or UI.
Step 5: Implement Secure Coding Practices
When developing new features or applications, implement secure coding practices that consider clickjack protection:
Step 6: Educate Your Team
Inform your development team about the implications of clickjack protection on development practices.
Step 7: Test Thoroughly
Before and after clickjack protection is enabled, thoroughly test your applications to ensure they function correctly:
Step 8: Continuous Monitoring and Updating
Regularly review and update your custom applications to adhere to best practices for security and compatibility with Salesforce security features like clickjack protection. Stay updated on Salesforce releases and security best practices to ensure your applications remain secure and functional.
By following these steps, Salesforce developers can effectively manage the enablement of clickjack protection for non-Setup pages, ensuring that custom applications are secure and function correctly without compromising the org's security posture.
