Validate your custom features that redirect users to a URL, and prevent users from connecting to untrusted URLs. Define Content Security Policy (CSP) Trusted Sites for your Visualforce pages, and help your users safely interact with external websites on your custom Visualforce pages with cross-origin headers. Private Connect support for AWS integrations is available in the EMEA and APAC regions. Reprovision your inbound and outbound connections before Private Connect legacy network is retired.

• Validate Your Redirects
  To better protect your data and users, the security checks on redirections are updated. Verify your custom features that redirect users to a URL to ensure that the process continues to work in Summer ’22.
• Define CSP Trusted Sites for Visualforce Pages
  To safely provide your users with external content, you can now define Content Security Policy (CSP) trusted sites for your Visualforce pages.
• Allow Redirects Only to Trusted External URLs
  Protect your users from malicious links by allowing redirections only to external URLs that you trust. Previously, you could only warn users about a redirection.
• Protect Your Visualforce Pages with Cross-Origin Headers
  Help your users safely interact with external websites and content on your custom Visualforce pages with cross-origin headers. Cross-Origin Opener Policy (COOP) helps you shield these pages from external attacks. And Cross-Origin Embedder Policy (COEP) only allows content from external sources that trust your custom page.
• Secure Cross-Cloud Integrations with Private Connect Across the Globe
  As part of expanding the AWS partnership with Salesforce, Private Connect support for AWS integrations is available in the EMEA and APAC regions.
• Private Connect Legacy Network Is Being Retired
  The network that supports Private Connect is upgraded to Hyperforce. The legacy network will be retired on October 15, 2022 at 11:59 PM Pacific Daylight Time (America/Los_Angeles). Reprovision your AWS PrivateLink connections before the legacy network is retired.
• CSP Trusted Sites LEX Context Option Was Renamed
  The LEX context option for Content Security Policy (CSP) trusted sites is now called Lightning Experience Pages.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=238&type=5

Create more security policy types to deploy to your connected tenants. Gain insight into your security posture by monitoring metrics such as threat detection. Export your Security Center data with the click of a button. And track changes to even more metrics in Security Center.

• Deploy New Policy Types from Security Policies (Generally Available)
  Security policies are now generally available with new security policy types. You can create these security policies in Security Center: Trusted IP Ranges, Health Check Baseline, Password Configuration, and Session Settings.
• Get More Custom Report Types
  Create reports on Security Center permissions, logins, and monitoring metrics. These new report types make it easier to track, monitor, and view graphs of relevant Security Center data.
• See More Metrics in Security Center
  To simplify security policy management, you can now track changes to transaction security policies, mobile security policies, and trusted IP ranges in Security Center. You can also find existing Threat Detection metrics within the Monitoring dashboard page.
• Export Security Center Data with the Click of a Button
  Easily download a .csv file for tables that show your policies, alerts, and monitoring metric details to access important data whenever you need it.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_security_center.htm&release=238&type=5

Fine-tune Transaction Security metering and policy application controls. The Permission Set Event is now generally available. See more event data in the API Total Usage, Lightning Page View, and Transaction Security event types. And add another layer of security to data collected in Service Cloud Voice by encrypting the Participant Display Name field on the Conversation Participant object.

• Event Monitoring
  Dial in your preferred Transaction Security metering behavior preferences with a new user permission and metadata API setting. The Permission Set Event is now generally available. The API Total Usage event type supports more API versions and includes more fields. And access a wider range of detailed data with the Lightning Page View and Transaction Security event types.
• Field Audit Trail
  Field Audit Trail no longer enforces the 10-year retention limit for field history data. Instead, all field history data is retained from the time that Field Audit Trail is enabled.
• Shield Platform Encryption
  Add another layer of security to personally identifiable information collected in Service Cloud Voice. Shield Platform Encryption now supports the Participant Display Name field.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=238&type=5

Create Consent Templates in Preference Center (beta), which is a new method for populating the preference forms where your customers indicate how they wish to be contacted.

• Use Consent Templates to Create Preference Forms in Privacy Preference Center (Beta)
  Customize reusable templates that define contact preferences based on your consent channels, or brands and data use purposes. Then create preference forms that populate from the consent templates and publish your forms for customers to complete and submit.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_center.htm&release=238&type=5

New features are available to prepare your org for multi-factor authentication (MFA) auto-enablement and enforcement. Your users can now register WebAuthn (FIDO2) security keys as an MFA verification method. Your employees and customers can log in to Salesforce with their Microsoft credentials. You can improve connected app security by rotating the consumer key and consumer secret, and by blocking connected apps from using the OAuth 2.0 username-password flow. As part of regular maintenance, Salesforce is upgrading its SAML framework in Spring ’23, so start testing your SAML integrations now.

• Get Ready for Multi-Factor Authentication Auto-Enablement and Enforcement
  The requirement to use multi-factor authentication (MFA) when accessing your Salesforce org went into effect on February 1, 2022. If you haven’t fully satisfied this requirement, keep in mind that in the future we are automatically enabling and enforcing MFA for all direct (username and password) logins to the UI. To avoid disruptions to your business when these actions occur, and to protect your valuable data, we strongly recommend enabling MFA yourself as soon as possible. To speed things up, you can now turn on MFA for everyone in your org at once. And a new user permission lets you exclude use cases that are exempt from the MFA requirement.
• Verify User Identity with WebAuthn (FIDO2) Security Keys
  To meet the latest authentication standards, Salesforce now supports WebAuthn security keys. Users can register a WebAuthn or U2F security key for identity verification. To maintain compatibility with web browsers, previously registered U2F keys adopt WebAuthn APIs when used for the first time after Summer ’22.
• Bypass MFA Challenges for Single Sign-On Auth Provider Logins (Release Update)
  This release update was originally enforced in Spring ’22, but the enforcement was unsuccessful for some orgs. Orgs that weren’t enforced in Spring ’22 are now enforced in Summer ’22. MFA challenges are now bypassed for users who are assigned the user permission Multi-factor Authentication for User Interface Logins and are logging in with an SSO Auth Provider. This update was first made available in Winter ’22.
• Securely Update Email Addresses and Reset Passwords (Release Update)
  This release update was originally enforced in Spring ’22, but the enforcement was unsuccessful for some orgs. Orgs that weren’t enforced in Spring ’22 are now enforced in Summer ’22. To ensure the security of your org, users must reset their password before your changes to their email address and password become active. When a user resets the password using the provided link, the new email address is activated. Previously, the user’s new email address became active as soon as you saved the change, bypassing verification. This update was first made available in Summer ’21.
• Login Enhancements for Microsoft
  Make it easy for employees and customers to log in to Salesforce by setting up single sign-on (SSO) with a Microsoft authentication provider. Your users can access your Salesforce org or Experience Cloud site with their Microsoft credentials.
• Rotate the Consumer Key and Consumer Secret of a Connected App
  Improve the security of your connected apps with minimal app downtime. To keep your consumer key and consumer secret fresh, you can swap them with new consumer details. Prepare for the new details by generating staged values and sharing them with your connected app integrations. When you’re ready, apply the new consumer details.
• Verify Your Identity to Access Consumer Key and Consumer Secret
  To improve security, you’re required to verify your identity before viewing your connected app’s consumer key and consumer secret, also known as the client ID and client secret. On the connected app’s Manage Connected Apps page, you must complete multi-factor authentication (MFA) using one of your registered identity verification methods before you can see the consumer details. You can view the consumer details for up to 5 minutes before you’re challenged to verify your identity again.
• Block the OAuth 2.0 Username-Password Flow at an Org-Wide Level
  To keep your org secure, you can block all connected apps in your org from using the OAuth 2.0 username-password flow. We recommend blocking the flow so that developers can’t use it to build new integrations. Blocking the flow can break any existing integrations that use the flow, such as managed packages and mobile apps. Before blocking the flow, audit and test your integrations so you can avoid disruptions.
• Upgrade SAML Single Sign-On Framework (Release Update)
  Salesforce is upgrading its SAML framework as part of regular ongoing maintenance. This update can impact integrations with third-party systems, such as integrations with SAML identity providers and SAML-enabled applications. This update applies to all SAML-based integrations, even when you’re using Identity for Employees or Salesforce Customer Identity, including Experience Cloud.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=238&type=5

To meet the latest browser requirements, enable enhanced domains. In new sandboxes, enhanced domains are enabled by default. You can redirect your site URLs separately from your previous My Domain URLs after you enable enhanced domains. And update your allowlists to prepare for partitioned domains.

• Enable Enhanced Domains (Release Update)
  To comply with the latest browser and security standards, enable enhanced domains on My Domain. With enhanced domains, your company-specific My Domain name is included in your URLs, including Salesforce Sites and Experience Cloud sites. Consistent domain formats improve the user experience and standardize URLs for use in custom code and API calls. Enhanced domains also comply with the latest browser requirements, allowing your users to access Salesforce using browsers that block third-party cookies. Because this update affects application URLs, including Experience Cloud sites, Salesforce Sites, and Visualforce pages, we recommend that you enable enhanced domains before this update is enforced. This update was first made available in Summer ’21 and was scheduled to be enforced in Winter ’23, but we postponed the enforcement date to Spring ’23 for production orgs. For sandboxes and non-production orgs, the enforcement date is still Winter ’23 unless you enable a new org-level setting that postpones the enforcement to Spring ’23.
• Use Enhanced Domains in New and Refreshed Sandboxes
  To help you test enhanced domains, they’re enabled by default in new and refreshed sandboxes. If enhanced domains aren’t enabled in your production org, you can disable this option.
• Redirect Your Site URLs After You Enable Enhanced Domains
  When you enable enhanced domains, the *.force.com URLs for your Experience Cloud sites and Salesforce Sites change. To minimize disruption for users who visit your previous *.force.com URLs, choose whether to redirect those public-facing URLs to your current site URL or to return an error message.
• Prepare for Partitioned Domains
  To maximize the availability of your orgs, My Domain uses partitioned domains for new Developer Edition orgs, demo orgs, sandboxes, scratch orgs, patch orgs, free orgs, and Trailhead Playgrounds. Partitioned domains include a word related to the org type, which makes it easier to identify an org by a URL. To prepare for this change, update your allowlists for the new domains.
• Test Your Custom Domain That Uses a Third-Party CDN in a Sandbox
  Before you enable a custom domain that uses a third-party Content Delivery Network (CDN) in production, develop and test the domain in a sandbox. A custom domain, such as https://www.example.com, serves your Experience Cloud sites or Salesforce Sites.
• Enable the Salesforce CDN Partner in a Sandbox Custom Domain
  Test a custom domain that uses the Salesforce CDN partner to serve your Experience Cloud site in a sandbox before you enable the updated domain in production.
• Improve Code Security with My Domain Logins
  For an extra layer of security, use your My Domain login URL to access your Salesforce org with code. Although you can continue to use the generic Salesforce login URLs, your My Domain login URL is unique. And, unlike instanced URLs such as na47.salesforce.com, it continues to work when your org is moved to another instance. Because we recommend this approach, My Domain URL placeholders replace the generic login.salesforce.com and test.salesforce.com login URLs in our Salesforce Help and Developer documentation.
• Wait 15 Minutes Between Domain Changes
  To avoid potential conflicts between follow-up processes such as CNAME and DNS updates, you can’t make two domain changes that require provisioning within 15 minutes.
• Postpone the Enforcement of Enhanced Domains in Sandboxes and Non-Production Orgs
  The Enable Enhanced Domains release update is enforced for sandboxes and non-production orgs in Winter ’23. If you need more time to test enhanced domains in sandboxes and non-production orgs, you can postpone the enforcement date to Spring ’23 using an org-level My Domain setting. Non-production orgs include demo orgs, Developer Edition orgs, free orgs, patch orgs, Trailhead Playgrounds, and trial orgs. For production and scratch orgs, the enforcement date is automatically postponed to Spring ’23 without any action required.
• Other My Domain Changes
  To help you make My Domain changes, the My Domain Setup screen was updated. The button to revert a provisioned My Domain change is now called Cancel New Domain. And to help you understand your choices, the domain suffix picklist values were updated.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=238&type=5

Enhanced domains now work with sandboxes, offer redirects, and lend more secure login options. You can now log in with your Microsoft credentials, access and maintain consumer keys and consumer secrets more securely, and streamline your transition to using multi-factor authentication. Gather preference information consistently with reusable templates in Privacy Center. Salesforce Shield offers encryption and event tracking for more data and control over Transaction Security metering behavior. Use Security Center to create security-centric reports, and define security policies for all connected tenants (generally available). Private Connect support for AWS integrations is available in the EMEA and APAC regions. And remember to prepare inbound and outbound connections for the Private Connect network upgrade.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security.htm&release=238&type=5

Use transaction security policies, now generally available, to monitor changes made in permission sets and permission set groups. If a change doesn’t comply with internal usage, compliance, or security policies, create policies to notify you and block changes. You can also track multi-factor authentication for user interface logins.

Where: This change applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions where Event Monitoring is enabled.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_create_critical_user_policy.htm&release=238&type=5

How you manage assignments of permission sets and permission set groups has been simplified, and this feature is now generally available. After you enable this feature in User Management Settings, you can access the improved interface with the Manage Assignments button. As part of this change, we deprecated the Manage Assignment Expiration button.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: For example, you have a consultant team that must evaluate sales contracts as part of a project with a set end date. The consultants need access to the Contract object and other permissions via a permission set group. When the project ends, you don’t want the consultant team to access the sales contracts any longer.

You first create a filter for the users based on their location. You can potentially have thousands of users, so a filter lets you easily select the users working on the project. Then you assign these users to the permission set group and set the expiration date as the project’s end.

How: Enable Permission Set & Permission Set Group Assignments with Expiration Dates in User Management Settings. Then from the Permission Set Group or Permission Set page, click Manage Assignment.

On the Current Assignments page, view a list of the users that are assigned to the permission set or the permission set group. To create a user assignment, click Add Assignment. On the Add Assignment page, search for users in the list with the search field. To create a filtered view of users, create a list view, and then select the filter icon and set your filter logic.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_assn_expiration.htm&release=238&type=5

With this update enabled, you can assign an expiration date to each permission set or permission set group. Permission set and permission set group assignments also use a new Lightning Experience interface and an improved workflow. Users can be assigned to permission sets or permission set groups with or without an expiration date. When a permission set or permission set group has an expiration date, users can lose access to functionality after the expiration date. By default, permission set and permission set group assignments don’t expire. This update was first available in Summer ’22.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: Salesforce enforces this update in Winter ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

How: To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Enable Permission Set & Permission Set Group Assignments with Expiration Dates, follow the testing and activation steps.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_enable_permset_expiration_ru.htm&release=238&type=5