To meet the security review requirements for components that contain links to external websites, you need to ensure the following:
**Static Resources and Code Management:**
- Save any third-party CSS or JavaScript files in static resources and reference them securely within your package
- Avoid using the `<link>` tag or dynamically loading code from third-party endpoints
- Ensure that all code meets Salesforce security guidelines
- External links must not attempt to execute scripts outside the managed package's namespace sandbox
**Secure Connections:**
- Use HTTPS for all external links and endpoints
- Avoid using HTTP or FTP, as they do not encrypt data
- Adhere to TLS v1.2 or above for secure communication
**Access and Documentation:**
- Provide access to all external components, including URLs and login credentials, during the security review process
- Perform security scans on external components and include the results in your security review submission
- Document any false positives
**Security Compliance:**
- Submit security scan reports, such as Checkmarx and Dynamic Application Security Test (DAST) reports, for external endpoints
- Ensure that all session IDs are marked as secure and not shared outside the organization
- Avoid wildcarded CORS or cross-domain.xml files for non-public endpoints
For additional guidance, you can consult the Partner Security Portal or schedule office hours with Salesforce security experts.