Explore and download all of your event log file data using the Event Log File Browser in Setup. Tailor your event log file data retention period to your needs, up to 1 year. Store and query all of your event data via the API by using Event Monitoring’s Event Log Objects (beta). Capture detailed network performance metrics with the new UI Telemetry Timing events. Track redirections for your instanced URLs.

• Query Low-Latency Event Data with Event Log Objects (Beta)
  Store and query all of your event data via the API with the new event log object framework (beta) that captures event data in standard objects.
• Access and Download Event Log File Data with the Event Log File Browser (Generally Available)
  Get easy access to all of your Event Log File data by using the Event Log File Browser directly in Setup without the need for third-party tools.
• Download Up to 1 Year of Event Log Files
  Adjust your event log file data retention period and download up to 1 year of event log file data in case of a security incident.
• Track Network Performance Metrics
  To maximize the efficiency of your applications, capture detailed network performance metrics with the new UI Telemetry Timing events. Use the Resource Timing event log file type to measure how long a browser takes to load specific application resources from a remote server. Use the Navigation Timing event log file type to track metrics related to page navigation, such as how long a browser takes to construct a page’s Document Object Model (DOM).
• Identify Instanced Hostname Redirections
  To help you identify hard-coded instanced URLs, the SOURCE_HOSTNAME field on the Hostname Redirects event type now tracks redirections for these URLs. For example, if your Salesforce instance is IND76, legacy instanced hostnames include ind76.salesforce.com, ind76.lightning.force.com, and MyDomainName--c.ind76.content.force.com. Redirections for legacy My Domain hostnames stop in Winter ’25. Previously, the HOSTNAME_REDIRECT field only tracked redirections from My Domain hostnames that didn’t contain an instance name.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_em.htm&release=250&type=5

Encrypt more Nonprofit Cloud data. Net Zero Cloud objects are compatible with Field Audit Trail. Event Log File Browser is generally available for easy access to event log files right from Setup. And say goodbye to third-party tools for digging into event logs. Event Monitoring’s new event log object framework (beta) captures event data in standard objects that support direct queries via API.

• Event Monitoring
  Explore and download all of your event log file data using the Event Log File Browser in Setup. Tailor your event log file data retention period to your needs, up to 1 year. Store and query all of your event data via the API by using Event Monitoring’s Event Log Objects (beta). Capture detailed network performance metrics with the new UI Telemetry Timing events. Track redirections for your instanced URLs.
• Field Audit Trail
  Add Net Zero Cloud objects to your Field Audit Trail retention policies.
• Shield Platform Encryption
  Encrypt more Grantmaking Compliant Data Sharing records data. Gather statistics and apply active keys to data with fewer timeouts. Bring Your Own Key pages are compatible with assistive technologies. 

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=250&type=5

To receive notifications via the Consent Event Stream, users need either the ReadAllData or the PrivacyDataAccess permission assigned to them. Previously, this requirement was documented but not enforced. To resolve any disruptions that your users experience as a result of this change, assign one of the applicable permissions to them.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Who: This change impacts users who received notifications via the Consent Event Stream without having the documented permissions assigned to them. Notifications are interrupted for those users.

How: To re-enable Consent Event Stream notifications, assign users the ReadAllData or PrivacyDataAccess permission with permission sets or profiles (can be outdated or unavailable during release preview).

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_consent_event_stream_permissions.htm&release=250&type=5

To improve the user experience in Privacy Center, we updated the user interface text in several places. We also changed the behavior of two privacy policy filter operators.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How:

• Review these changes in filter conditions for privacy policies.
  • The is before operator was renamed to: is within the last. This operator captures records whose date field is within a specified number of days before the policy execution date. For example, if the specified number of days is 45, then matching records need a date field that’s within 45 days before the policy execution date. The new functionality better serves customer use cases.
  • The is after operator was renamed to: is beyond the last. This operator captures records whose date field is beyond a specified number of days before the policy execution date. For example, if the specified number of days is 45, then matching records need a date field that’s more than 45 days before the policy execution date. The new functionality better serves customer use cases.
  • The Number of Days field was renamed to: Number of Days Relative to Policy Execution Date. This change clarifies the field’s meaning.
  • The Preview field was renamed to: Summary. Additionally, we inserted a disclaimer that this field’s content is for informational purposes and isn’t valid Salesforce Object Query Language (SOQL).
• When a user applies the Permanently delete records setting to a privacy policy, a warning banner alerts the user about the setting’s risks. This change helps customers avoid accidental data loss.
• When a user cancels an in-progress job for a privacy policy, Salesforce prompts them to confirm the action with a warning. Canceling in-progress jobs can cause some records to be modified or unrecoverable. The updated warning message clarifies these risks.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_ui_changes.htm&release=250&type=5

Data retention is coming to the new, platform-native version of Privacy Center. With data retention, you can copy records to an external data store at the same time that you mask or delete them. You can also view the externally retained records by setting up your retention store with Salesforce Connect. This feature becomes available on a rolling basis starting in July 2024.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

When: Data retention becomes available in different regions on a rolling basis, beginning in July 2024. For more information about the release timeline or to learn about getting early access to the feature, contact your account executive.

Why: Under data privacy law, your customers have a right to be forgotten by your business or to have their data restricted from processing. To stay compliant, you’re sometimes required to delete, archive, or obfuscate customer data. Now you can add data retention to your compliance strategy without using the managed-package version of Privacy Center.

The platform-native version of Privacy Center is the modernized, enhanced version that we recommend for all customers. Here are some advantages to consider.

• Your Privacy Center license includes data retention as an out-of-the-box feature, along with a limited amount of free storage. Details about the amount of free storage and the cost for additional capacity are coming soon.
• Your production org and sandboxes can have separate retention stores provisioned to them.
• You can import privacy policies directly from a sandbox to a production org and vice versa. With this capability, you can test and deploy your retention implementation seamlessly.
• Privacy Center offers an updated and improved user interface compared to the managed-package version of Privacy Center.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_data_retention.htm&release=250&type=5

Review recent changes to Privacy Center’s user interface and functionality.

• Get Ready to Retain Data with Privacy Center
  Data retention is coming to the new, platform-native version of Privacy Center. With data retention, you can copy records to an external data store at the same time that you mask or delete them. You can also view the externally retained records by setting up your retention store with Salesforce Connect. This feature becomes available on a rolling basis starting in July 2024.
• UI Text and Functionality Improvements in Privacy Center
  To improve the user experience in Privacy Center, we updated the user interface text in several places. We also changed the behavior of two privacy policy filter operators.
• Permission Requirements for the Consent Event Stream Are Enforced
  To receive notifications via the Consent Event Stream, users need either the ReadAllData or the PrivacyDataAccess permission assigned to them. Previously, this requirement was documented but not enforced. To resolve any disruptions that your users experience as a result of this change, assign one of the applicable permissions to them.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_center.htm&release=250&type=5

To reduce performance issues, we now prevent client apps from sending simultaneous token requests with the same refresh token when using the OAuth 2.0 refresh token flow. Previously, identical token requests sent at the same time didn’t fail, but they did lead to system issues across Salesforce. To avoid disruptions, update integrations that use the refresh token flow to stop sending simultaneous, identical requests to the token endpoint. Improve the efficiency of your integrations by reusing access tokens instead of continually requesting new ones.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

How: When using the refresh token flow, Salesforce processes one token request at a time. If your client sends another request while one is being processed, the Status column in the Login History displays Failed: Token request is already being processed.

To prevent the refresh token flow from failing intermittently, update your integrations.

• Avoid or reduce simultaneous calls to the token endpoint with the same refresh token. Instead, after your client obtains an access token from the refresh token flow, cache the token and reuse it.
• If you continue to make simultaneous, identical requests, which isn’t recommended, develop a way to retry the requests when this error occurs.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_refresh_token_requests.htm&release=250&type=5

With new support for larger tokens, use the OAuth 2.0 token exchange flow with a wider range of third-party identity providers. When you send third-party tokens to Salesforce in the subject_token parameter, the value can be up to 10,000 characters long. Previously, the maximum length for values in this parameter was 2,000 characters.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

How: With the token exchange flow, you configure an app to exchange a token issued by an identity provider for a Salesforce token. To initiate this exchange, your app sends a POST request to the /services/oauth2/token endpoint. The request includes the provider’s token in the subject_token parameter.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_subject_token.htm&release=250&type=5

With changes to how JSON Web Tokens (JWTs) are processed, it’s now easier to extract data from JWTs generated by methods in the Auth.JWTUtil class. We also clarified what methods we support for a JWT depending on where it came from. And you can get more test coverage by mocking HTTP callouts when processing JWTs.

Where: These changes are available in Enterprise, Performance, Unlimited, and Developer Editions.

How: For more information about these changes, see the Auth Namespace section in Apex: New and Changed Items.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_apex_changes.htm&release=250&type=5

Although Salesforce doesn’t recommend it, if you must use Embedded Login with your Experience Cloud Site, you can enable it on the Login & Registration page. In Summer ’24, Salesforce disabled Embedded Login by default to encourage users to move to OAuth 2.0 Web Server Flow or OAuth 2.0 User-Agent Flow.

Where: This change applies to Lightning communities accessed through Lightning Experience and Salesforce Classic (not available in all orgs) in Professional, Enterprise, Performance, Unlimited, and Developer editions.

Why: We recommend that you use the web server flow, the user-agent flow, or another redirect-based OAuth 2.0 flow instead of Embedded Login. Embedded Login relies on third-party cookies, which are blocked or restricted in most browsers. And Embedded Login works only on Google Chrome and only as long as third-party cookies are allowed there by default.

How: To use Embedded Login on your Experience Cloud Site, enable the feature on the Login & Registration page. From Setup in the Quick Find Box, enter Digital Experiences, and then select All Sites. In the Digital Experiences picklist, select Workspaces and then click Administration. On the Login & Registration tab select Allow embedded login on your Experience Cloud site.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_enable_embedded_login.htm&release=250&type=5