Add an approved external destination to the Trusted URLs for External Redirects allowlist so Salesforce permits outbound redirects to it. You do this in Setup, one URL at a time.
- Open the Setup page
From Setup, type Trusted URLs for External Redirects in the Quick Find box, then select that page. It sits with the session and browser security controls.
- Start a new entry
Click New URL to create a single allowlist entry for one external destination your users are redirected to.
- Enter the destination
Type the external URL you want to trust, then save. The entry becomes a destination Salesforce will allow outbound redirects to reach.
- Choose the response for untrusted targets
Set whether Salesforce warns the user or blocks the redirect when a link points to a target that is not on the list. Salesforce recommends warning while you learn your traffic.
- Validate against real links
Click through your custom buttons, list links, and formula-field links to confirm trusted destinations work and untrusted ones get the response you chose.
The external destination you are approving for outbound redirects. Approve hosts you trust to land users, not just pass them onward.
Whether non-trusted targets trigger a user warning or a hard block. Warn is the gentler rollout; block is stricter.
- Salesforce verifies only the first hop out of the platform. It cannot check later redirects once the browser leaves Salesforce, so a trusted host that forwards onward is outside the allowlist's view.
- The per-user option to trust a URL at the warning prompt exists in Salesforce Classic, not Lightning Experience. In Lightning, admins must curate the list centrally.
- Long Text Area field links are protected only in Salesforce Classic. Lightning users following links in Long Text Area fields are not covered, so prefer URL fields for outbound links.
- Blocked redirects show in the Trusted URL and Browser Policy Violations list for only about seven days. Review it on a routine, or capture entries before they age out.