File Upload and Download Security
File Upload and Download Security is the Salesforce Setup page that controls how the platform handles file content when users upload to or download from Files, Attachments, and Documents.
Definition
File Upload and Download Security is the Salesforce Setup page that controls how the platform handles file content when users upload to or download from Files, Attachments, and Documents. The settings determine whether the browser is told to display the file inline or download it as an attachment based on MIME type, with separate handling for trusted and untrusted file types. The page exists primarily as a defense against the most dangerous file-based attack: cross-site scripting through HTML, SVG, or other browser-executable file types served from the Salesforce domain.
The default settings strike a balance between usability and security. Common file types (PDF, JPG, PNG, DOCX) display inline, which is what most users expect. Higher-risk types (HTML, SVG, JS) default to forced download, meaning the browser saves them as a file rather than rendering them in the browser's security context. Administrators can override these defaults per file type, but every relaxation increases the attack surface, so any change to defaults should be reviewed carefully.
How File Upload and Download Security works
Why this setting matters for XSS
Files served from a Salesforce domain inherit Salesforce session cookies. If an attacker uploads an HTML or SVG file with embedded JavaScript and the browser renders it inline, the script runs with the user's full Salesforce session. The attacker can read records, change permissions, or exfiltrate data. Forcing browser-executable file types to download instead of display kills this attack vector by ensuring the script never runs in the Salesforce origin.
The three security levels per file type
Each MIME type can be set to one of three security behaviors. Hybrid (default for most): the platform decides based on the file type's risk profile, typically defaulting to inline display for safe types and download for risky ones. Execute in Browser: force inline display even for risky types (rarely the right choice). Download: always force the browser to download rather than display. The right answer depends on the workflow; defaults are safe for most orgs.
Common file types and their defaults
PDF, DOCX, XLSX, JPG, PNG, GIF: default to Hybrid (inline display). HTML, HTM, MHT: default to Download (security risk). SVG: default to Download since the format can contain script. CSV: default to Download to avoid triggering Excel macro behavior in browser-served previews. ZIP, EXE: always Download regardless of setting. The defaults reflect a decade of security learnings; deviations should have specific business justification.
Content-Disposition header behavior
Behind the setting, Salesforce sends a Content-Disposition: attachment header for downloads and Content-Disposition: inline for inline display. Some browsers and security gateways override these headers, so the user experience can vary slightly across environments. Test the resulting behavior in your target browsers; corporate-managed browsers especially may apply additional restrictions on top of the Salesforce settings.
Custom domain and content delivery network
Salesforce serves file downloads from a content delivery domain (content.force.com or salesforce.com/content depending on org config) rather than the main Salesforce domain. This isolation means a malicious file rendered inline only sees cookies for the content domain, not the main Salesforce session. The setting works alongside this domain separation; understanding both is needed for a complete security model.
Auditing existing uploads
Existing files predating the current security settings remain in the org. An HTML file uploaded years ago is still HTML; the current security setting affects how it serves, but the file content is unchanged. Audit ContentVersion records by MIME type to find legacy risk files: SELECT COUNT(Id) FROM ContentVersion WHERE FileType IN (HTML, SVG, MHT). Review whether any should be deleted or quarantined.
The Force Download for All Files option
The most restrictive option forces all files to download, regardless of MIME type. This is sometimes used in highly regulated industries where any inline rendering is unacceptable. The trade-off is user experience: every PDF, JPG, and DOCX is downloaded instead of previewed in the browser. Pilot this option with a representative user group before rolling out; the friction is substantial and may push users to alternative file-sharing tools that bypass Salesforce entirely.
Review and adjust file security settings
Most orgs leave File Upload and Download Security at defaults. The steps below cover the audit and adjustment workflow for orgs that need to review or tighten the configuration.
- Open the security settings
Setup > Security > File Upload and Download Security. The page lists each MIME type with its current security behavior.
- Review the current state
Confirm that HTML, SVG, MHT, and similar high-risk types are set to Download. If any are set to Execute in Browser, document the business reason; this is the riskiest setting.
- Audit existing uploaded files
Query ContentVersion grouped by FileType. Identify counts of HTML, SVG, and other browser-executable types. Decide retention or removal for each cluster.
- Test with a representative file
Upload a sample HTML file to a sandbox. Confirm it downloads rather than displays. Test in the corporate browser to ensure no override allows inline rendering.
- Adjust per type if needed
For each MIME type requiring a change, click Edit, select the new behavior, save. Document the change in the security change log.
- Test in production after change
Upload and access a file of each adjusted type. Confirm the new behavior matches the configuration.
- Document and schedule audits
Add a quarterly review to the security calendar. File uploads accumulate over time, and new file types may emerge that warrant configuration.
Platform decides based on type risk. Default for most types.
Force inline display. Highest risk; reserved for trusted controlled-content types.
Force browser to download rather than display. Safest option for browser-executable types.
Apply Download behavior to every type. High security, high friction.
Configure each MIME type individually. The standard granularity for most orgs.
- Setting HTML or SVG to Execute in Browser opens an XSS attack vector. A malicious upload runs script in the user session; this setting should rarely if ever be relaxed.
- Existing files are not affected by setting changes. A historical HTML file uploaded under old settings still has that MIME type; only the delivery behavior changes.
- Corporate browsers and gateways can override Content-Disposition headers. Test target environments to confirm the configured behavior actually applies.
- Force Download for All Files produces severe friction. Users frustrated by lost previews may move file sharing to OneDrive, Google Drive, or other tools outside Salesforce control.
- The setting affects delivery, not upload. Files of any MIME type can be uploaded regardless of these settings; if you need to block uploads, use Files Connect restrictions or a custom Apex trigger.
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is the primary benefit of File Upload and Download Security for Salesforce administrators?
Q2. Why is understanding File Upload and Download Security important for Salesforce admins?
Q3. In which area of Salesforce would you typically find File Upload and Download Security?
Discussion
Loading discussion…