Trusted URLs for Redirects controls which external URLs Salesforce will redirect to after login or other workflows. Restricting redirects prevents open-redirect vulnerabilities — attackers crafting Salesforce URLs that bounce victims to malicious sites.
- Open Setup → Trusted URLs for Redirects
Setup gear → Quick Find: Trusted URLs → Trusted URLs for Redirects.
- Click New Trusted URL
Top-right.
- Set the URL pattern
https://yourcompany.com / https://*.yourcompany.com (subdomain wildcard).
- Set Description
Where this URL is used ("marketing site," "customer portal").
- Save
Salesforce will allow redirects to URLs matching this pattern. Other URLs are blocked / warned.
Key options
URL Patternremember
Specific URL or subdomain wildcard.
Activeremember
Inactive entries are stored but not enforced.
Gotchas
- Without Trusted URLs for Redirects, Salesforce's redirect protection may block legitimate redirects to your own marketing / customer sites — add them upfront.
- Subdomain wildcards (*.yourcompany.com) match all subdomains. Specific URLs are stricter but require updating when sites change.
- Open-redirect attacks work even with the protection enabled if attackers find a non-checked redirect path. Treat this as defense-in-depth, not absolute protection.