Salesforce - Developer - Security - Clickjack


// Salesforce - Developer - Security - Clickjacking:

Salesforce leverage both frame-busting script and X-FRAMES-OPTIONS HTTP header.
By default, all standard Salesforce pages are protected against clickjacking, but 
clickjacking protection is not enabled by default for Visualforce pages.

As a developer, we can extend this protection to our custom Visualforce 
pages.  Before we enable this functionality, check with our Salesforce admin.  
If our applications make extensive use of iframes, clickjacking protection may 
break intended functionality.

Go to Setup-> Security Controls -> Session Settings 

1. Check the "Enable clickjack protection for setup pages" check box
2. Check the "Enable clickjack protection for non-setup Salesforce pages" 
   check box
3. Check the "Enable clickjack protection for non-setup customer Visualforce
   pages" check box

Each of these settings will make sure that the different salesforce pages will 
not be loaded into frames and hidden in different ways in an attempt to 
clickjack a user and send a click onto the salesforce page without his 
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License