Prevent Insecure Remote Resource Interaction
At Salesforce, trust is our #1 value. We put a lot of resources toward ensuring our services and our platform are as secure as possible. As a developer on the platform, it’s your responsibility to uphold this value in your custom code as well.
Your app might require interaction or resources from applications external to Lightning Platform. As you include external systems in your application flow, ensure that your usage is in line with Salesforce’s Trust model. In this unit, you’ll learn how to avoid two common cases where the Trust model can break.
- Including remote resources
- Sending data to remote resources
Mixed Content Vulnerabilities
This is the crux of a “Mixed Content” vulnerability, which occurs when the application includes resources over both HTTPS and HTTP. Because the content is served over an unencrypted channel, an attacker could potentially exploit the connection between the client and the server and inject malicious content inside the otherwise encrypted page.
Include External Resources Safely
Your best bet against this attack is to rely on Salesforce to host your external resources. Salesforce provides a mechanism called “static resources” which enable you to upload content that you can reference inside your Visualforce pages. This includes file types such as:
- Archives (.zip and .jar)
- Style sheets
Let’s walk through how to utilize static resources properly in the Kingdom Management developer org.
- Log in to the Kingdom Management developer org and select the Insecure Remote Resources app.
- Click the Mixed Content tab.
Look at your browser’s URL bar and next to the URL you should see something
other than the usual padlock symbol, which indicates that you’re visiting a
In Firefox you’ll see an icon like:
In Chrome you’ll see an icon like:
Click the icon to get more information from your browser about the error.
The message will vary from browser to browser, but generally these icons are designed to warn you that a portion of the page is being served over a nonsecure connection, that is, a mixed content vulnerability. So let’s fix it!
- Click the Visualforce link at the bottom of the page.
Look for the line corresponding to the image being served over
So rather than using the remote resource that utilizes an unencrypted connection, we leverage static resources and reference the file locally.
Change the apex:image value to the following:
- Click Save and navigate back to the Mixed Content tab.
No more mixed content warnings. Excellent!
While you now know how to include external resources safely, what about sending data to external sources? One common mistake developers make is to pass sensitive information via URL parameters.
If you use HTTPS, all your data between the client and Salesforce is encrypted. An HTTPS request is secure as long as:
- No SSL certificate warnings were ignored.
- The private key used by the web server to initiate the SSL connection isn’t available outside of the web server itself.
So in transit, generally speaking, sensitive information won’t be exposed to external attackers. However, there are a number of places where this information could still be leaked:
- Web server and proxy logs — The whole URL of each request is stored in a server log, resulting in sensitive data in the URL (like a password) saved in clear text on the server.
- Browser — Browsers save URL parameters in their history for bookmarked pages. So any sensitive data in the URL would be exposed in your browser.
- Printed PDF — Most browsers include the source URL at the bottom of the printed page, including all URL parameters.
As a result, Salesforce requires that all sensitive information be delivered in the body of the request using a POST (not GET) request, which prevents this data exposure.
By using static resources for including external resources and using POST requests for sending data to external resources, you’re well on your way to interacting with remote resources securely.