Clickjack Protection

Clickjacking is a type of attack that tries to trick a user into clicking something, maybe a button or link, because they perceive they are clicking something safe. Instead, the button or link performs malicious actions on your site leading to data intrusion, unauthorized emails, changed credentials, or other site-specific actions.


This information applies only to sites. For information about clickjack protections in Salesforce, see Clickjack Protection Enabled By Default.

Hidden iframes that load your site's pages can be placed maliciously by an unrelated page that entices the user to click a button or link that appears below the hidden iframe. With clickjack protection, you can configure whether your browser allows frames or iframes over your site pages. The default clickjack level for is set to Allow framing by the same origin only.

You can set the clickjack protection for a site to one of these levels:
  • Allow framing by any page (no protection)
  • Allow framing by the same origin only (recommended)
  • Don’t allow framing by any page (most protection)


Same-origin framing allows the site’s page to be framed only by pages on the same domain name and protocol security.

Clickjack protection won’t be automatically enabled for sites created prior to the Spring ’14 release. To manage clickjack protection in your site:

  1. On the Overview tab, click Site Configuration.
  2. Click Edit.
  3. Select the desired level of clickjack protection.


Salesforce Communities have two clickjack protection parts—one for the Communities site which is set from the site detail page and another for the Communities site which is set from the configuration page. It's recommended that both are set to the same value.