Table of Contents
Ensuring the security of your Salesforce instance is crucial to protect your organization’s sensitive data and maintain a safe environment for your users. In this guide, we’ll cover everything you need to know to enable Clickjack Protection for Customer Visualforce Pages effectively.
Understanding Clickjack Protection
What is Clickjacking?
Clickjacking, also known as UI redress attack or user interface redress attack, is a type of cyberattack where an attacker tricks a user into clicking on something different from what they perceive. The attacker conceals a malicious action or webpage beneath a legitimate one, leading to unintended actions by the user. In Salesforce, Clickjacking can pose a significant security threat, potentially leading to unauthorized access and actions within your organization’s Salesforce instance.
Why Clickjack Protection is Important
Clickjack Protection is a vital security feature that helps safeguard your Salesforce data and operations against Clickjacking attacks. It ensures that your Visualforce pages cannot be easily embedded within external websites or framed by malicious actors. By enabling Clickjack Protection, you mitigate the risk of attackers tricking your users into taking unintended actions within Salesforce.
Identifying Your Visualforce Pages
Custom Visualforce Pages
Before enabling Clickjack Protection, identify the custom Visualforce pages in your Salesforce organization that need protection. These are typically pages you’ve developed to meet specific business needs. It’s essential to have a list of these pages for reference.
Standard Salesforce Pages
Keep in mind that Salesforce already applies Clickjack Protection to its standard pages by default. However, you should still consider your organization’s specific requirements and potentially adjust settings accordingly.
Modifying Visualforce Pages
Adding the showHeader Attribute
To enable Clickjack Protection for customer Visualforce pages, you need to make a simple modification. In each Visualforce page’s definition, add the showHeader="false" attribute to remove the Salesforce header. This header removal reduces the risk of Clickjacking by making it more challenging for an attacker to overlay your page with a deceptive one.
Here’s an example of how to modify a Visualforce page: