Most orgs leave File Upload and Download Security at defaults. The steps below cover the audit and adjustment workflow for orgs that need to review or tighten the configuration.
- Open the security settings
Setup > Security > File Upload and Download Security. The page lists each MIME type with its current security behavior.
- Review the current state
Confirm that HTML, SVG, MHT, and similar high-risk types are set to Download. If any are set to Execute in Browser, document the business reason; this is the riskiest setting.
- Audit existing uploaded files
Query ContentVersion grouped by FileType. Identify counts of HTML, SVG, and other browser-executable types. Decide retention or removal for each cluster.
- Test with a representative file
Upload a sample HTML file to a sandbox. Confirm it downloads rather than displays. Test in the corporate browser to ensure no override allows inline rendering.
- Adjust per type if needed
For each MIME type requiring a change, click Edit, select the new behavior, save. Document the change in the security change log.
- Test in production after change
Upload and access a file of each adjusted type. Confirm the new behavior matches the configuration.
- Document and schedule audits
Add a quarterly review to the security calendar. File uploads accumulate over time, and new file types may emerge that warrant configuration.
Platform decides based on type risk. Default for most types.
Force inline display. Highest risk; reserved for trusted controlled-content types.
Force browser to download rather than display. Safest option for browser-executable types.
Apply Download behavior to every type. High security, high friction.
Configure each MIME type individually. The standard granularity for most orgs.
- Setting HTML or SVG to Execute in Browser opens an XSS attack vector. A malicious upload runs script in the user session; this setting should rarely if ever be relaxed.
- Existing files are not affected by setting changes. A historical HTML file uploaded under old settings still has that MIME type; only the delivery behavior changes.
- Corporate browsers and gateways can override Content-Disposition headers. Test target environments to confirm the configured behavior actually applies.
- Force Download for All Files produces severe friction. Users frustrated by lost previews may move file sharing to OneDrive, Google Drive, or other tools outside Salesforce control.
- The setting affects delivery, not upload. Files of any MIME type can be uploaded regardless of these settings; if you need to block uploads, use Files Connect restrictions or a custom Apex trigger.