Site.com Clickjack Protection

Clickjacking is a type of attack that tries to trick a user into clicking something, maybe a button or link, because they perceive they are clicking something safe. Instead, the button or link performs malicious actions on your site leading to data intrusion, unauthorized emails, changed credentials, or other site-specific actions.
Important

Important

This information applies only to Site.com sites. For information about clickjack protections in Salesforce, see Clickjack Protection Enabled By Default.

Hidden iframes that load your site's pages can be placed maliciously by an unrelated page that entices the user to click a button or link that appears below the hidden iframe. With clickjack protection, you can configure whether your browser allows frames or iframes over your site pages. The default clickjack level for Site.com is set to Allow framing by the same origin only.

You can set the clickjack protection for a site to one of these levels:
  • Allow framing by any page (no protection)
  • Allow framing by the same origin only (recommended)
  • Don’t allow framing by any page (most protection)
Note

Note

Same-origin framing allows the site’s page to be framed only by pages on the same domain name and protocol security.

Clickjack protection won’t be automatically enabled for sites created prior to the Spring ’14 release. To manage clickjack protection in your site:

  1. On the Overview tab, click Site Configuration.
  2. Click Edit.
  3. Select the desired level of clickjack protection.
Note

Note

Salesforce Communities have two clickjack protection parts—one for the Force.com Communities site which is set from the Force.com site detail page and another for the Site.com Communities site which is set from the Site.com configuration page. It's recommended that both are set to the same value.