Definition
Trusted URLs for Redirects is a Setup page where administrators specify external URLs that Salesforce is allowed to redirect users to. This prevents open redirect vulnerabilities by ensuring that users can only be redirected to pre-approved domains from Salesforce pages and custom links.
Real-World Example
The admin at Velocity Partners adds "https://portal.velocitypartners.com" and "https://training.velocitypartners.com" to Trusted URLs for Redirects. Custom buttons on Salesforce records that redirect users to these external portals now work correctly, while any attempt to redirect to an unauthorized URL is blocked with a security warning.
Why Trusted URLs for Redirects Matters
Trusted URLs for Redirects is a Setup page that controls which external domains Salesforce is allowed to redirect users to from within the application. This feature exists to prevent open redirect vulnerabilities — a common web security flaw where an attacker crafts a malicious URL that leverages a legitimate site's redirect functionality to send users to phishing pages or malicious sites. By maintaining a whitelist of approved redirect destinations, administrators ensure that custom buttons, formula fields, Visualforce pages, and Apex redirects can only send users to pre-approved external domains.
As organizations build more integrations that require users to navigate between Salesforce and external portals, training platforms, or partner sites, the redirect whitelist needs careful management. Each approved domain represents a trust decision — you are telling Salesforce that it is safe to send your users there. Organizations that do not configure this list may find that custom redirect functionality is blocked by default, causing broken user workflows. Conversely, organizations that approve too many domains weaken their redirect security posture. The best approach is to approve only the specific domains your workflows require and review the list when external vendor relationships change.
How Organizations Use Trusted URLs for Redirects
- Velocity Partners Group — Velocity's admin adds portal.velocitypartners.com and training.velocitypartners.com to the redirect whitelist. Custom buttons on Account records that redirect users to the partner portal now work correctly, while an attempted phishing link disguised as a Salesforce redirect to a lookalike domain is blocked with a security warning.
- Beacon Health Systems — Beacon adds their patient portal domain to Trusted URLs for Redirects so that care coordinators can click a button on the Patient record in Salesforce and be redirected directly to the patient's portal profile. Before this configuration, the redirect was blocked and coordinators had to manually copy-paste the URL, adding 30 seconds to each patient interaction.
- TrueNorth Financial — TrueNorth's security team removes a former vendor's domain from Trusted URLs for Redirects after terminating their contract. This ensures that any remaining custom links or buttons that referenced the vendor's portal now display a security warning instead of redirecting users to a domain the company no longer controls.