Secure HTTPS Connections Are Enforced in Experience Cloud Sites and Salesforce Sites
Settings that enforce HTTPS connections or upgrade HTTP requests were
enabled and removed because they’re required and enforced by default. These changes apply to all
sites, regardless of whether they’re served on a custom domain. We recommend that you allow HSTS
preloading registration for custom domains that host content through your sites, which adds
protection by removing the opportunity for attacks during HTTP redirections.
Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.
Why: These settings were enabled and removed:
- Enable Strict Transport Security headers on the Domain Details page
- HSTS for Salesforce Sites and Experience Cloud Sites on the Session Settings page
- Require Secure Connections (HTTPS) on the Site Details page
- Upgrade all requests to HTTPS on the Site Details page