Timeline :
Salesforce has provided a detailed timeline for the latest release which is Spring ’23. The timeline mentioned below is a high level start date. Project admins/leads have to check the Salesforce trust portal for the exact upgrade dates for their specific instances.
Enforced Updates :
These updates are scheduled to be Enforced In Spring ‘23:
- Apply User Access Permissions to Navigation Menus Retrieved by Apex in Experience Cloud Sites
- Release Note : Apply User Access Permissions to Navigation Menus Retrieved by Apex in Experience Cloud Sites
- First Available : Winter ’23
- Notes /Actions :
- Look out for any query on NavigationLinkSet or NavigationMenuItem objects. Make the necessary changes if needed. This change ensures only the records from Experience Cloud sites that a user is a member of, are returned.
- No change required if queried using Connect api as it already enforces the check.
- Require Granular Flow Permissions for Experience Cloud Guest Users
- Release Note : Require Granular Flow Permissions for Experience Cloud Guest Users
- First Available : Summer ’22
- Notes /Actions :
- Salesforce is going to remove the “run flow” permission for Guest User and Experience Cloud External User profiles. If your experience site/s are using flows and there are access related issues, update your sites to the new permission structure.
- MFA Auto-Enablement
- Release Note : MFA To Be Auto-Enabled for Some Customers in Spring ’23
- First Available : Winter ’23
- Notes /Actions :
- Use Waive Multi-Factor Authentication for Exempt Users user permission to exclude non UI logins like
- Integration user
- Pipeline users
- Any RPA user
- Logins used for any automation like Selenium
- Follow these change management guidelines for a successful MFA rollout : https://security.salesforce.com/mfa-change-management
- If using SSO, on its own, a single sign-on (SSO) solution doesn’t satisfy the MFA requirement. Make sure MFA is enabled via SSO for all your Salesforce users.
- Talk to your SSO provider about using their MFA service
- You can also use Salesforce MFA in coordination with SSO. Follow this guide : https://help.salesforce.com/s/articleView?id=sf.mfa_sso_logins.htm&type=5
- FAQ : https://security.salesforce.com/sso-and-mfa
- Use Waive Multi-Factor Authentication for Exempt Users user permission to exclude non UI logins like
- Enable Stronger Protection for Your Users’ Personal Information
- Release Note : Enable Stronger Protection for Your Users’ Personal Information
- First Available : Spring ’22
- Notes /Actions :
- Enable Enhanced Personal Information Management to prevent external users, such as portal or community users, from accessing other users’ personal information.
- Use field set on the user object to achieve it.
- Details here : https://admin.salesforce.com/blog/2021/protect-user-pii-data-with-enhanced-personal-information-management
- Enable Content Sniffing Protection
- Release Note : Enable Content Sniffing Protection
- First Available : Winter ’23
- Notes /Actions :
- Once enabled, this adds header “X-Content-Type-Options: nosniff” to all the pages served from Salesforce. Once enabled, verify the pages for the header in network tab under the browser console.
- Upgrade SAML Single Sign-On Framework
- Release Note : Upgrade SAML Single Sign-On Framework
- First Available : Summer ’22
- Notes /Actions :
- Once this update is enabled, SAML based SSOs could be impacted. Check logins and logouts. Some major impacts are:
- Salesforce now uses saml2p and saml2 as namespace prefixes in XML-based SAML artifacts generated such as a request or a response. Make necessary changes to accommodate these, if needed.
- The Identity Provider URL and Assertion Consumer Service (ACS) URL are now encoded. The single logout Endpoint and relay state parameters are also encoded. Make necessary adjustments for it.
- Once this update is enabled, SAML based SSOs could be impacted. Check logins and logouts. Some major impacts are:
- Escape the label attribute of apex:inputField elements to prevent cross-site scripting in Visualforce
- Release Note : Escape the Label Attribute of <apex:inputField> Elements to Prevent Cross-Site Scripting in Visualforce Pages
- First Available: Winter ’23
- Notes /Actions:
- Once enabled, this would automatically escape the label attribute in <apex:inputfield> in visualforce pages.
- If there’s already manual escaping in place, Double escaping can cause issues.
- Verify the inputfields in VF pages and check for any manual escaping and fix if needed.
- Refer this link for details – https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_scontrols.htm
- Run Flows in User Context via REST API.
- Release Note : Run Flows in User Context via REST API
- First Available: Spring ’22
- Notes /Actions:
- This impacts the auto-launched flows if invoked using Rest api. If invoked using rest, flows used to run in System context. Once enabled, flows will run in user context.
- Check for any such instance where flows are executed via REST API.
- Adjust permissions if needed.
- This impacts the auto-launched flows if invoked using Rest api. If invoked using rest, flows used to run in System context. Once enabled, flows will run in user context.