Trusted URLs for Redirects
Trusted URLs for Redirects is a Setup page where administrators specify external URLs that Salesforce is allowed to redirect users to.
Definition
Trusted URLs for Redirects is a Setup page where administrators specify external URLs that Salesforce is allowed to redirect users to. This prevents open redirect vulnerabilities by ensuring that users can only be redirected to pre-approved domains from Salesforce pages and custom links.
In plain English
“Here's a simple way to think about it: Trusted URLs for Redirects closes one of the oldest web vulnerabilities. Open redirect (URL parameter bouncing victims to malicious sites) is prevented by the platform refusing redirects outside this allowlist.”
Worked example
The admin at Velocity Partners adds "https://portal.velocitypartners.com" and "https://training.velocitypartners.com" to Trusted URLs for Redirects. Custom buttons on Salesforce records that redirect users to these external portals now work correctly, while any attempt to redirect to an unauthorized URL is blocked with a security warning.
Why Trusted URLs for Redirects closes one of the oldest web vulnerabilities
Open redirect is a class of vulnerability where an attacker uses a parameter on a legitimate URL to bounce victims to a malicious site - phishing emails that look like they're from your domain, clicked links that send victims to attacker-controlled pages. Trusted URLs for Redirects is the configuration that prevents this in Salesforce. Define the domains you're willing to redirect to, and the platform refuses any redirect outside that list.
The reason it's a specific page rather than a default is that valid use cases for off-platform redirects exist (payment providers, support portals, integration vendors), and the list of legitimate destinations needs to be deliberate. Configure it as part of your security baseline review, document each entry's purpose, and audit on the same cadence as Trusted URLs. The cost of getting this right is small; the cost of an open-redirect finding is significant.
How to set up Trusted URLs for Redirects
Trusted URLs for Redirects controls which external URLs Salesforce will redirect to after login or other workflows. Restricting redirects prevents open-redirect vulnerabilities — attackers crafting Salesforce URLs that bounce victims to malicious sites.
- Open Setup → Trusted URLs for Redirects
Setup gear → Quick Find: Trusted URLs → Trusted URLs for Redirects.
- Click New Trusted URL
Top-right.
- Set the URL pattern
https://yourcompany.com / https://*.yourcompany.com (subdomain wildcard).
- Set Description
Where this URL is used ("marketing site," "customer portal").
- Save
Salesforce will allow redirects to URLs matching this pattern. Other URLs are blocked / warned.
Specific URL or subdomain wildcard.
Inactive entries are stored but not enforced.
- Without Trusted URLs for Redirects, Salesforce's redirect protection may block legitimate redirects to your own marketing / customer sites — add them upfront.
- Subdomain wildcards (*.yourcompany.com) match all subdomains. Specific URLs are stricter but require updating when sites change.
- Open-redirect attacks work even with the protection enabled if attackers find a non-checked redirect path. Treat this as defense-in-depth, not absolute protection.
How organizations use Trusted URLs for Redirects
Configured during initial security baseline; payment provider redirects work, attacker-controlled redirects don't.
Compliance requires explicit redirect allowlist; the page provides the audit trail.
Trust & references
Straight from the source - Salesforce's reference material on Trusted URLs for Redirects.
- Specify Trusted URLs for RedirectionsSalesforce Help
Test your knowledge
Q1. What is the primary benefit of Trusted URLs for Redirects for Salesforce administrators?
Q2. In which area of Salesforce would you typically find Trusted URLs for Redirects?
Q3. Can a Salesforce admin configure Trusted URLs for Redirects without writing code?
Discussion
Loading discussion…