📢 Attention Salesforce Certified Trailblazers! Maintain your credentials and link your Trailhead and Webassessor accounts by April 19th. Learn more.
close

Prevent Insecure Remote Resource Interaction

Learning Objectives

After completing this unit, you'll be able to:
  • Identify mixed content vulnerabilities based on browser responses.
  • Include remote resources securely using static resources.
  • List four places where URL parameters can be leaked.

Trust and the Salesforce Platform

At Salesforce, trust is our #1 value. We put a lot of resources toward ensuring our services and our platform are as secure as possible. As a developer on the platform, it’s your responsibility to uphold this value in your custom code as well.

Your app might require interaction or resources from applications external to Lightning Platform. As you include external systems in your application flow, ensure that your usage is in line with Salesforce’s Trust model. In this unit, you’ll learn how to avoid two common cases where the Trust model can break.

  • Including remote resources
  • Sending data to remote resources

Include Remote Resources Securely

Using the Lightning Platform, you can include remote resources from external sites for referencing images, documents, style sheets, or even JavaScript libraries hosted outside of the Lightning Platform domain. Often these external sites don’t uphold the same standard of trust as the platform, lacking basic requirements like encryption in transit or use of HTTPS.

Mixed Content Vulnerabilities

This is the crux of a “Mixed Content” vulnerability, which occurs when the application includes resources over both HTTPS and HTTP. Because the content is served over an unencrypted channel, an attacker could potentially exploit the connection between the client and the server and inject malicious content inside the otherwise encrypted page.

The impact of this vulnerability varies wildly based on the type of resource that is included over the encrypted channel. For passive content like images, the risk is minor—the application may appear broken or with misleading content. However, for active content like JavaScript libraries, an attacker can run client-side code resulting in phishing, sensitive data disclosure, or redirection to malicious sites.

Include External Resources Safely

Your best bet against this attack is to rely on Salesforce to host your external resources. Salesforce provides a mechanism called “static resources” which enable you to upload content that you can reference inside your Visualforce pages. This includes file types such as:

  • Archives (.zip and .jar)
  • Images
  • Style sheets
  • JavaScript

Static Resources in Action

Let’s walk through how to utilize static resources properly in the Kingdom Management developer org.

  1. Log in to the Kingdom Management developer org and select the Insecure Remote Resources app.
  2. Click the Mixed Content tab.
  3. Look at your browser’s URL bar and next to the URL you should see something other than the usual padlock symbol, which indicates that you’re visiting a secure site.

    In Firefox you’ll see an icon like:

    Firefox secure site icon

    In Chrome you’ll see an icon like:

    Chrome secure site icon

  4. Click the icon to get more information from your browser about the error.

    The message will vary from browser to browser, but generally these icons are designed to warn you that a portion of the page is being served over a nonsecure connection, that is, a mixed content vulnerability. So let’s fix it!

  5. Click the Visualforce link at the bottom of the page.
  6. Look for the line corresponding to the image being served over http:
    <apex:image value="http://www.castles.org/images/sd2_small.jpg"/>
    

    So rather than using the remote resource that utilizes an unencrypted connection, we leverage static resources and reference the file locally.

  7. Change the apex:image value to the following:
    <apex:image url=”{!$Resource.castle}”/>
    
  8. Click Save and navigate back to the Mixed Content tab.

No more mixed content warnings. Excellent!

Send Data to External Sources Safely

While you now know how to include external resources safely, what about sending data to external sources? One common mistake developers make is to pass sensitive information via URL parameters.

If you use HTTPS, all your data between the client and Salesforce is encrypted. An HTTPS request is secure as long as:

  • No SSL certificate warnings were ignored.
  • The private key used by the web server to initiate the SSL connection isn’t available outside of the web server itself.

So in transit, generally speaking, sensitive information won’t be exposed to external attackers. However, there are a number of places where this information could still be leaked:

  • Web server and proxy logs — The whole URL of each request is stored in a server log, resulting in sensitive data in the URL (like a password) saved in clear text on the server.
  • Browser — Browsers save URL parameters in their history for bookmarked pages. So any sensitive data in the URL would be exposed in your browser.
  • URL referrer headers — If a secure page uses remote resources, such as JavaScript, images, or analytics services, the URL is passed in the referrer request header of each embedded request. Sometimes the query string parameters may be delivered to and stored by third-party sites.
  • Printed PDF — Most browsers include the source URL at the bottom of the printed page, including all URL parameters.

As a result, Salesforce requires that all sensitive information be delivered in the body of the request using a POST (not GET) request, which prevents this data exposure.

By using static resources for including external resources and using POST requests for sending data to external resources, you’re well on your way to interacting with remote resources securely.

Resources

Visualforce Developer Guide - Static Resources

Flower icon used to indicate that the content is for Salesforce Classic

Remember, this module is meant for Salesforce Classic. When you launch your hands-on org, switch to Salesforce Classic to complete this challenge.

retargeting