AdministrationAdvanced

Trusted URLs

Q: What is the primary benefit of Trusted URLs for Salesforce administrators?

Trusted URLs is an administration feature that empowers admins to manage the Salesforce environment through declarative, point-and-click configuration.

Q: Why is understanding Trusted URLs important for Salesforce admins?

Administration features like Trusted URLs are fundamental to maintaining a healthy, secure, and efficient Salesforce org on an ongoing basis.

Q: Can a Salesforce admin configure Trusted URLs without writing code?

Trusted URLs is a declarative admin feature, meaning it can be configured through Salesforce's point-and-click interface without writing any code.

Trusted URLs is a Setup page where administrators add external URLs to the Content Security Policy (CSP) allowlist, permitting Salesforce Lightning pages to load scripts, styles, images, and frames from those domains.

Hear it

§ 01

Definition

§ 02

In plain English

👋 Study buddy

“Here's a simple way to think about it: Trusted URLs is the allowlist that decides what your Lightning pages can talk to. Google fonts, Vimeo videos, your analytics platform - each external URL needs an entry, with directive-specific scoping.”

§ 03

Worked example

scenario · real-world useTrusted URLs

The admin at Apex Dynamics adds "https://cdn.chartlibrary.com" and "https://maps.googleapis.com" to Trusted URLs so that a custom Lightning component can load an external charting library and Google Maps embed. Before adding these entries, the browser's CSP blocked both resources and the component displayed error messages.

§ 04

Why Trusted URLs is the allowlist that decides what your Lightning pages can talk to

A Lightning page that loads a Google font, embeds a video from Vimeo, or includes a script from your own analytics platform - each of those needs the external URL in the Trusted URLs allowlist. Without an entry, the browser blocks the resource as a CSP violation, and the page renders with a missing piece. Trusted URLs is the Setup page where those entries get added, with directive-specific scoping (this URL is OK for scripts but not for frames, etc.).

The reason this page deserves discipline is that the easy mistake is to widen the allowlist permissively whenever something breaks. Each entry expands the attack surface; a too-broad URL can let an attacker load malicious content from a domain you didn't audit. Keep entries narrow (specific subdomains, specific paths where possible), pair every addition with a clear reason, and review the list whenever the third-party services in use change.

§ 05

How to set up Trusted URLs

Trusted URLs (CSP Trusted Sites) is the allowlist of external domains that Lightning components, Visualforce pages, and other client-side Salesforce code can talk to. Browsers enforce Content Security Policy — without a trusted URL entry, fetch / XHR to that domain fails.

Open Setup → Trusted URLs
Setup gear → Quick Find: Trusted URLs → Trusted URLs.
Click New Trusted URL
Top-right.
Set Trusted Site Name and URL
Name: descriptive ("Stripe API"). URL: the base URL (https://api.stripe.com).
Pick CSP Directives
Tick Allow Site to Load in Frame / Allow Site for img-src / connect-src / etc. Each toggles a CSP directive.
Tick Active
Inactive entries don't allow traffic.
Save
Browsers respecting Salesforce's CSP now allow connections to this URL from Lightning / Visualforce.

Key options

URLremember

https://example.com/path. Subdomain wildcards via leading dot.

CSP Directivesremember

img-src / connect-src / frame-src / font-src / etc. Pick what your code actually does.

Activeremember

Inactive = entry is there but not enforced.

Gotchas

Browsers enforce CSP at runtime. A trusted URL entry tells Salesforce's CSP header to allow the URL — without it, fetch / XHR fails with a CSP violation in the console.
Wildcards have specific syntax — leading dot for subdomain wildcards (.example.com). Doesn't support arbitrary regex.
Each CSP directive is independent. "Allow Site for connect-src" doesn't allow img-src — tick every directive your code uses, or you'll hit partial-failure.

§ 06

How organizations use Trusted URLs

Northwind Trading

Audit narrowed wildcard entries to specific subdomains; security posture improved without breaking integrations.

BlueRiver Health

New entries reviewed by security team before adding; allowlist-widening became a security review, not a configuration shortcut.

Trust & references

Official documentation

Straight from the source - Salesforce's reference material on Trusted URLs.

Manage Trusted URLsSalesforce Help

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

🧠 Test your knowledge

Q1. What is the primary benefit of Trusted URLs for Salesforce administrators?

Q2. Why is understanding Trusted URLs important for Salesforce admins?

Q3. Can a Salesforce admin configure Trusted URLs without writing code?

Discussion

Loading…

Loading discussion…

Back to Dictionary