Clickjack Protection in Salesforce: Why Your iFrame Won’t Load

By | September 2, 2025

Embedding web pages inside an iframe is a common technique used to display dashboards, third-party applications, or custom content within Salesforce. While this approach enhances user experience by bringing everything together on a single screen, many developers and admins often face a frustrating issue: the iframe content doesn’t load.

In most cases, this happens because of Salesforce’s built-in clickjack protection a vital security mechanism that prevents malicious attacks.

This blog explains what clickjacking is, how Salesforce defends against it, why your iframe may fail to load, and how you can configure your org to safely allow iframes when required.

What is Clickjacking ?

Clickjacking is a cyberattack where users are tricked into clicking on hidden or misleading elements overlaid on a webpage. Attackers typically use transparent iframes or disguised layers to trick users into performing harmful actions such as:

  • Modifying account settings
  • Authorizing unintended financial transactions
  • Revealing sensitive data

How Salesforce Protects Against Clickjacking

Salesforce implements multiple layers of protection to mitigate clickjacking risks:

  • UI Clickjack Protection – Prevents Salesforce pages from being embedded in iframes on unauthorized sites.
  • API Clickjack Protection – Blocks API requests originating from untrusted iframe sources.
  • Frame-Ancestor Controls – Salesforce sets Content Security Policy (CSP) headers to restrict which domains are allowed to embed Salesforce pages.

By default, Salesforce only permits its own domains to frame Salesforce content.

Why Your iFrame Doesn’t Load in Salesforce

If you are embedding an external page inside a Visualforce page or Lightning component using an iframe and it fails to load, the reasons could include:

  1. The target site blocks framing – Many websites use X-Frame-Options: DENY or SAMEORIGIN, preventing their pages from being embedded.
  2. Salesforce clickjack settings – Your Salesforce org may be blocking the content due to CSP restrictions or unapproved domains.
  3. Mixed content issues – Browsers block insecure HTTP content from loading inside secure HTTPS Salesforce pages.
Iframe Load Failure
Iframe Load Failure

How to fix iFrame Loading Issues in Salesforce

  1. Review Clickjack Protection Settings

Navigate to:
Setup → Session Settings → Clickjack Protection

Here you’ll find options as shown in the image below to configure iframe protection:

Enable Clickjack Protection
Enable Clickjack Protection

Note:

Disabling clickjack protection can expose your org to security risks — proceed with caution.
  1. Whitelist Trusted Domains

Salesforce allows you to whitelist trusted domains to embed Salesforce pages in iframes or allow your Visualforce pages to embed external content.

  • Navigate to Setup → CSP Trusted Sites
  • Add the external domains you want to enable for iframe use
Add Trusted URL
Add Trusted URL
  1. Use Lightning Web Components (Preferred)

Instead of embedding entire web pages, a more secure option is to use Lightning Web Components (LWC) with API integrations. LWCs can fetch data from external systems and render it natively in Salesforce, avoiding iframe-related issues altogether.

Let’s say you want to show product inventory from an external system inside a Salesforce page.You can build a Lightning Web Component that calls the external system’s API and renders the data in native Salesforce UI. For Example:

javascript
// inventoryViewer.js
import { LightningElement, track } from 'lwc';

export default class InventoryViewer extends LightningElement {
    @track inventory;

    connectedCallback() {
        fetch('https://api.example.com/inventory')
            .then(res => res.json())
            .then(data => {
                this.inventory = data;
            })
            .catch(error => {
                console.error('Error fetching inventory:', error);
            });
    }
}

html
<!-- inventoryViewer.html -->
<template>
    <template if:true={inventory}>
        <ul>
            <template for:each={inventory.items} for:item="item">
                <li key={item.id}>{item.name} — {item.quantity} in stock</li>
            </template>
        </ul>
    </template>
</template>

After applying the recommended settings and configurations, your iframe or embedded content should load smoothly within Salesforce. Below is an example screenshot showing a successful iframe load, confirming that the clickjack protection and CSP settings are correctly configured: 

Iframe Loaded Successfully
Iframe Loaded Successfully

Best Practices

  • Use iframes sparingly due to their inherent security risks.
  • Regularly audit your org’s CSP Trusted Sites and Clickjack Protection settings.
  • Always test iframe integrations in a sandbox before deploying to production.

Conclusion

Clickjack protection is a crucial Salesforce security feature that shields users from malicious attacks, but it can also prevent iframe content from loading. By understanding Salesforce’s security framework and applying the right configurations such as whitelisting trusted domains, adjusting CSP settings, or using LWCs you can embed external content securely and seamlessly.

Following these best practices ensures your Salesforce org remains both secure and user-friendly.

By following the steps above, Clickjack Protection in Salesforce. If you still have queries or any related problems, don’t hesitate to contact us at salesforce@greytrix.com. More details about our integration product are available on our website and Salesforce AppExchange.

We hope you find this blog resourceful and helpful. However, if you still have concerns and need more help, please contact us at salesforce@greytrix.com.

About Us
Greytrix – a globally recognized and one of the oldest Sage Development Partner and a Salesforce Product development partner offers a wide variety of integration products and services to the end users as well as to the Partners and Sage PSG across the globe. We offer Consultation, Configuration, Training and support services in out-of-the-box functionality as well as customizations to incorporate custom business rules and functionalities that require apex code incorporation into the Salesforce platform.

Greytrix has some unique solutions for Cloud CRM such as Salesforce Sage integration for Sage X3Sage 100 and Sage 300 (Sage Accpac). We also offer best-in-class Cloud CRM Salesforce customization and development services along with services such as Salesforce Data MigrationIntegrated App developmentCustom App development and Technical Support business partners and end users.
Salesforce Cloud CRM integration offered by Greytrix works with Lightning web components and supports standard opportunity workflow. Greytrix GUMU™ integration for Sage ERP – Salesforce is a 5-star rated app listed on Salesforce AppExchange.

The GUMU™ Cloud framework by Greytrix forms the backbone of cloud integrations that are managed in real-time for processing and execution of application programs at the click of a button.

For more information on our Salesforce products and services, contact us at salesforce@greytrix.com. We will be glad to assist you.

Related Posts