Salesforce - Developer - Security - Clickjack
// Salesforce - Developer - Security - Clickjacking: Salesforce leverage both frame-busting script and X-FRAMES-OPTIONS HTTP header. By default, all standard Salesforce pages are protected against clickjacking, but clickjacking protection is not enabled by default for Visualforce pages. As a developer, we can extend this protection to our custom Visualforce pages. Before we enable this functionality, check with our Salesforce admin. If our applications make extensive use of iframes, clickjacking protection may break intended functionality. Go to Setup-> Security Controls -> Session Settings 1. Check the "Enable clickjack protection for setup pages" check box 2. Check the "Enable clickjack protection for non-setup Salesforce pages" check box 3. Check the "Enable clickjack protection for non-setup customer Visualforce pages" check box Each of these settings will make sure that the different salesforce pages will not be loaded into frames and hidden in different ways in an attempt to clickjack a user and send a click onto the salesforce page without his intention.
page revision: 3, last edited: 02 Jan 2017 00:35