Salesforce now converts URLs saved without a protocol to hyperlinks that include the HTTPS protocol.

• Create HTTPS Hyperlinks by Default
  When you save content in Salesforce that contains a URL without a protocol, Salesforce converts it to a hyperlink by assigning the HTTPS protocol. For example, if you type example.com in a Chatter post, Salesforce converts it to https://example.com when you save the post. Previously, Salesforce assigned the HTTP protocol for hyperlinks. If a link requires the HTTP protocol, enter the http:// prefix as part of the URL.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=236&type=5

Create a Security Policy (beta) to deploy your custom Health Check Baseline to some or all of your connected tenants. Gain insight into your security posture with the Health Check Baseline metric and monitor 28 more permissions. Monitor all your connected apps, regardless of if OAuth is used for authentication. And there’s enhanced navigation on your Security Center dashboard.

• Monitor All Connected Apps
  Now you can track all your connected apps in Salesforce. Previously, Security Center only monitored connected apps that use OAuth for authentication.
• Deploy Security Policies (Beta)
  Use the new Security Policy feature to upload a custom Health Check baseline and deploy it to the tenants of your choosing.
• See More Metrics in Security Center
  Now you can track changes to Security Health Check Baselines and Mobile Security Policies in Security Center. And you can monitor 28 more user permissions for a total of 42.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_security_center.htm&release=236&type=5

Customize more of your security policy implementation with a host of Shield improvements. Write your own custom transaction security policy notification emails. Create Platform Event-triggered flows for Threat Detection events, and use the Permission Set Event (beta) to monitor changes to permissions assignments. Encrypt more data for Loyalty Management and Social Customer Studio.

• Event Monitoring
  Threat Detection is now compatible with Platform Event-triggered flows so that you can automate responses to detected threat events. Write your own custom Transaction Security policy notification emails and populate them with actual event data to help you respond to triggered policies faster. And reap organization-wide efficiencies when you monitor permission set and permission group changes with the new Permission Set Event (beta).
• Shield Platform Encryption
  Shield Platform Encryption serves up support for an even wider range of data. You can now encrypt the Member Name field on the Loyalty Program Group Member Relationship object. Social Customer Service now supports encryption across several fields on the Social Persona and Social Post objects. And encryption for the User Email field is now generally available.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=236&type=5

Create and publish forms to gather customer consent preferences using Preference Center (beta). Control how users access the forms and create as many unique preference forms as needed.

• Build and Publish Consent Forms with Preference Center (Beta)
  Use Preference Center to create, edit, and publish self-service forms so that your customers can define their communication preferences.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_center.htm&release=236&type=5

Built-in authenticators are generally available. You can now configure multi-factor authentication (MFA) requirements for login as. Your employees and customers can access Salesforce through their Slack app. You can authorize access to Einstein Bot APIs with a connected app. And the OAuth 2.0 JWT bearer flow for server-to-server integration now supports high assurance settings. For enhanced security, users can no longer log in to Salesforce by using a username and password as URL query string parameters to the login URL.

• Built-In Authenticators as a Verification Method Are Now Generally Available
  With new support for biometric methods, it’s easier to verify identity in Salesforce. Your users can register biometric built-in authenticators such as Touch ID, Face ID, and Windows Hello. When users are challenged to verify their identity, including for multi-factor authentication and device activations, they get a prompt to use their built-in authenticator. Built-in authenticators are generally available.
• Salesforce Support Users, Partner Support Users, and Subscribers with High-Assurance Sessions Bypass Multi-Factor Authentication During Log In As
  To streamline user support, Salesforce support users, partner support users, and subscribers with high-assurance sessions can log in as other users without triggering multi-factor authentication (MFA) challenges. The Multi-Factor Authentication for UI Logins During Log In As setting enforces MFA only for support users and subscribers who don’t have high-assurance sessions.
• Let Users Access Salesforce with Slack Credentials
  Simplify your users’ login experience by enabling single sign-on (SSO) with a Slack authentication provider. With this SSO solution, your users can log in to your Salesforce org or Experience Cloud site with their Slack credentials, saving them time and clicks. They can also access their protected Slack data in Salesforce.
• Give Authorized Access to Einstein Bot APIs
  To authorize access to Einstein Bot APIs, you can assign a connected app the new chatbot_api OAuth scope. With this scope, the connected app is authorized to make service calls to Bot APIs over a public network.
• JWT Bearer Flow Supports High Assurance Sessions
  The OAuth 2.0 JWT bearer flow for server-to-server integration now supports high assurance settings. Previously, high assurance settings in user profiles weren’t passed to access tokens retrieved during the JWT bearer flow.
• Disable Users from Logging Into an Org or Experience Cloud Site with Login Credentials as URL Query String Parameters (Release Update)
  To improve security, users can no longer log in to Salesforce by using a username and password as URL query string parameters to the login URL. Any users who try to do so are redirected to the login page. This update was first made available in Winter ’22 and is enforced in Spring ’22.
• Securely Update Email Addresses and Reset Passwords (Release Update)
  To ensure the security of your org, users must now reset their password before your changes to their email address and password become active. When a user resets the password using the provided link, the new email address is activated. Previously, the user’s email address became active as soon as you saved the change. This update was first made available in Summer ’21 and is enforced in Spring ’22.
• Bypass MFA Challenges for Single Sign-On Auth Provider Logins (Release Update)
  This release update enforces the documented behavior of bypassing MFA challenges for users who are assigned the user permission Multi-factor Authentication for User Interface Logins. This update was first made available in Winter ’22 and is enforced in Spring ’22.
• Manage Single Sign-On User Mappings
  To ensure that users are mapped correctly between Salesforce and a third-party identity provider, use the Auth.ConfirmUserRegistrationHandler interface.
• Use a SAML Digest Algorithm Based on Your Request Signature Method
  New SAML single sign-on (SSO) service provider configurations with a third-party identity provider use a digest algorithm based on the Request Signature Method (RSM). With this update, you can improve security and you still have the option to use SHA1 to ensure that existing SSO and SLO configurations don’t break. Previously, all configurations used SHA1 as the default digest algorithm, regardless of the RSM.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=236&type=5

To meet the latest browser requirements, enable enhanced domains. Disable redirections from your previous My Domain URLs. And you can enable Salesforce Edge Network in a Hyperforce org.

• Disable Redirections from Your Previous My Domain
  To test a change to your org’s My Domain, you can temporarily prevent redirections from your org’s previous URLs. When you enable enhanced domains or change your My Domain name, the URLs for your org change, and Salesforce redirects requests for your previous URLs to your new URLs. With this change, you can disable these redirections without removing your previous My Domain.
• Enable Enhanced Domains (Release Update)
  To comply with the latest browser and security standards, enable enhanced domains on your Salesforce org’s My Domain. With enhanced domains, your company-specific My Domain name is included in your URLs, including Salesforce Sites and Experience Cloud sites. Consistent domain formats improve the user experience and standardize URLs for use in custom code and API calls. Salesforce enhanced domains also comply with the latest browser requirements, allowing your users to access Salesforce using browsers that block third-party cookies. Because this update affects application URLs, including Experience Cloud sites, Salesforce Sites, and Visualforce pages, we recommend that you enable enhanced domains before this update is enforced. This update was first made available in Summer ’21.
• Integrate Salesforce Edge Network on Hyperforce
  Salesforce Edge Network is now available in Hyperforce. With Salesforce Edge Network, your users are closer and faster to Salesforce services around the globe.
• HTTP Strict Transport Security (HSTS) Cache Duration Is Increased
  To adopt the latest recommendations for HTTP Strict Transport Security (HSTS) preloading deployment, we increased the HSTS header max-age value to 63072000, or 2 years. HSTS redirects browsers to use HTTPS. Because HSTS is enabled, browsers cache that only HTTPS can be used on those domains. With this change, the cache is saved for 2 years. Previously, the cache was saved for 1 year.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=236&type=5

Keep your implementation running securely and smoothly with improved Platform-driven security solutions. Refine how users access your sites, apps, and implementations with domain improvements, built-in authenticators (generally available), single sign-on with Slack, and more authentication options. Preference Center (beta) joins the Privacy Center team, helping customers define their communication preferences. Shield products integrate with a wider range of features and clouds. View more metrics in Security Center. And the new Security Policies (beta) feature in Security Center helps you manage Health Check baselines from a central location for all tenants.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security.htm&release=236&type=5

Monitor more changes to permission sets and permission set groups using transaction security policies in Event Monitoring. These new transaction security policies enable you to block permission changes in permission sets and permission set groups that don’t comply with internal usage, compliance, or security policies. You can also send notifications to admins when changes don’t comply with those same policies.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions where Event Monitoring is enabled.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_monitoring.htm&release=236&type=5

Now it’s easier to search for and filter users to assign to permission sets and permission set groups. And with Lightning list views, you can better manage expiration dates for those permissions.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: For example, a team at your head office evaluates sales contract language for a project that has an end date. Create a filter for the users based on their location, assign them to the permission set group, and then set the expiration date as the project’s end.

How: From User Management Settings, enable Permission Set Group Assignments with Expiration Dates (beta). Then, from either the Permission Set Group or Permission Set page, click Manage Assignment Expiration. On the Current Assignments page, you can view permission set or permission set group users. To create a user assignment, click Add Assignment. On the Add Assignment page, you can search for and filter users.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_filter_assignment_expiration.htm&release=236&type=5

The updated Salesforce Optimizer better captures the critical permissions assignments that you monitor. Assignments for the Manage Users permission now appear in Critical Permissions Assignments instead of assignments for the View All Users permission. Rerun the Salesforce Optimizer app to see the updated metric in Critical Permissions Assignments.

Where: This change applies to Lightning Experience and Salesforce Classic in Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_optimizer_crit_permission.htm&release=236&type=5