Securely Retrieve and Display Third-Party Images in Visualforce Pages

Protect your users from unauthorized requests by using the IMAGEPROXYURL function to securely fetch images outside your org’s server. Loading a third-party image can initiate a malicious authentication request meant to steal Salesforce usernames and passwords. This Visualforce function loads external images over HTTPS and prevents images from requesting user credentials.

Where: This feature applies to Lightning Experience, Salesforce Classic, and all versions of the Salesforce app in Contact Manager, Group, Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: To securely retrieve an external image, include the IMAGEPROXYURL function on the src attribute of a <img> tag or the value attribute of an <apex:image> object.

<img src={!IMAGEPROXYURL("http://exampledomain.com/pic.png")}/>
<apex:image value="{!IMAGEPROXYURL("http://exampledomain.com/pic.png")}"/>