File Upload and Download Security
File Upload and Download Security is a Setup page where administrators control which file types users can upload to Salesforce and how files are downloaded and rendered in the browser.
Definition
File Upload and Download Security is a Setup page where administrators control which file types users can upload to Salesforce and how files are downloaded and rendered in the browser. It helps prevent malicious files from being uploaded and ensures secure handling of downloads.
In plain English
“Here's a simple way to think about it: File Upload and Download Security is the policy layer between users and malicious files. What types can be uploaded, how downloads render in browsers, which extensions are allowed - the toggles that prevent attacker-controlled files from reaching your users.”
Worked example
The security admin at FinServe Bank configures File Upload and Download Security to block executable file types (.exe, .bat, .cmd) from being uploaded. She also enables the setting to download files with the "Content-Disposition: attachment" header, forcing all files to download rather than render in the browser, preventing potential XSS attacks from HTML files.
Why File Upload and Download Security is the policy layer between users and malicious files
Every record in Salesforce can hold an attached file, which means every record is a potential vector for a malicious upload. File Upload and Download Security is the Setup page that controls what types of files users can upload and how downloads are rendered to the browser. The most important toggles disable executable file types and force certain MIME types to download as files (rather than render inline as HTML), preventing browser-side execution of attacker-controlled content.
The reason these defaults matter is that the platform doesn't enforce them automatically - out of the box, more file types are allowed than most orgs want. Tighten this page during the org's initial security baseline review, align the allowed types with what users actually need (mostly Office documents, PDFs, and images), and treat any request to widen the allowlist as a security review, not a configuration change.
How to set up File Upload and Download Security
File Upload and Download Security restricts what file types users can upload to Salesforce and how the browser handles them on download. The default is permissive; tightening is recommended for security-sensitive orgs (finance, healthcare, government).
- Open Setup → File Upload and Download Security
Setup gear → Quick Find: File Upload and Download Security → File Upload and Download Security.
- Tick Don't allow HTML uploads as attachments or document records
Recommended ON. HTML files can carry XSS payloads — blocking uploads removes the attack vector.
- Configure per-MIME-type behavior
For each MIME type: Hybrid (open in browser if safe, download otherwise) / Execute in Browser (always open inline — risky) / Download (always force download) / Don't allow (block uploads).
- Set defaults for unrecognized MIME types
Default behavior for files Salesforce can't classify. Download is the safest default.
- Save
Settings take effect immediately for new uploads. Existing files retain their previous MIME-type association.
Strongly recommended ON. Blocks .html / .htm uploads which can carry XSS.
Browser opens in-place if it's a recognized safe type (PDF, image); downloads otherwise.
Always opens inline. Risky for HTML-like content; safe for images.
Always force download. No inline preview.
Block uploads entirely for this MIME type.
- Restricting too tightly blocks legitimate uploads. Test with real user workflows before going strict — agents may be uploading customer-supplied files in many formats.
- HTML uploads are a real risk. Many breaches start with an attacker uploading an HTML file that runs JavaScript when a user opens it. Always block HTML upload.
- MIME type detection isn't foolproof. Attackers can rename .html to .txt and the file still executes if opened in a context that interprets it. Don't rely on MIME blocking alone — combine with content scanning.
How organizations use File Upload and Download Security
Restricted executable file types after a phishing attempt with embedded scripts; users no longer have the option to upload risky formats.
Compliance team set forced-download rules for HTML; browsers no longer render attacker-controllable HTML as live pages.
Initial security baseline tightened the allowlist to Office documents, PDFs, and images; allowlist-widening requests now require security review.
Test your knowledge
Q1. What is the primary benefit of File Upload and Download Security for Salesforce administrators?
Q2. Why is understanding File Upload and Download Security important for Salesforce admins?
Q3. In which area of Salesforce would you typically find File Upload and Download Security?
Discussion
Loading discussion…