Select a default owner for records created by Salesforce Site guest users. And in Summer ’21, the Require secure connections (HTTPS) for all third-party domains setting gets enabled then removed because it can no longer be disabled.

• Require Secure HTTPS Connections for All Third-Party Domains
  As a security best practice, HTTPS connections are required to connect to third-party domains beginning in Summer ’21. With enforced secure connections, HTTP-only connections are no longer permitted. The Require secure connections (HTTPS) for all third-party domains setting on the Session Settings Setup page is enabled and then removed because it can’t be disabled. The Require secure connections (HTTPS) setting also is removed because it was previously enabled and can’t be disabled.
• Assign Records Created by Site Guest Users to a Default User
  To increase the security of your Salesforce data, unauthenticated guest users no longer automatically own the records they create. Instead, when a guest user creates a record, the record ownership is reassigned to a default active user that you can select.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=230&type=5

Security Center offers more hands-on ways to view your security data. Detail pages have improved graphs to help you easily see when changes happen. You can now update metric data on-demand instead of waiting for the daily scheduled app updates. And you can now see a 30-day trend graph of average Health Check scores plus 6 months of historical Health Check information right from the app. All the extra detail helps you respond proactively to changes and settings that touch sensitive customer data.

• Update Metric Data On-Demand
  You no longer need to wait for Security Center’s daily update to see the latest metric data. You can now update individual metrics as needed. On-demand metric updates give you the latest information so that you can make informed decisions. And they can help you monitor fast-moving situations.
• See Historical Health Check Details in Security Center
  Now you can access more Security Health Check data from the Security Center app. The Security Health Check detail page has a new trend graph to help you scan average Health Check scores for all connected tenants over time. You can also see the last 6 months of Health Check data right from Security Center, saving you clicks and time.
• Spotlight Change with Improved Detail Page Charts
  The new Daily Changes chart overlay offers a clearer view of metric changes for each day. Now you can easily see when changes happened on specific days.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_sc.htm&release=230&type=5

The Event Monitoring Analytics app offers a slew of new datasets to help you analyze usage across Salesforce. Real-Time Event Monitoring now supports automated, programmatic setup with Metadata API. Lightning event types include a CLIENT_GEO field to help you locate client browser requests. Shield Platform Encryption now supports the Utterance field on the Utterance Suggestion object. You can also synchronize large amounts of records with your encryption policies faster and more efficiently.

• Shield Platform Encryption
  Add extra security to potentially sensitive data used to train bots. You can now encrypt the Utterance field on the Utterance Suggestion object and participant responses to Salesforce Surveys. The background encryption service also syncs large amounts of records faster and more efficiently.
• Event Monitoring
  You can now analyze more data with the new datasets that are available in the Event Monitoring Analytics app. You can automate Real-Time Event Monitoring setup with the Metadata API. Locate users in all Lightning event types with the new CLIENT_GEO field. Use the new UserId filter on ReportEvent queries to focus on user activity (Beta).

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=230&type=5

Easily rename and manage your org’s My Domain. Improve connectivity with Salesforce Edge Network and test custom domains in a sandbox. Deploy a My Domain and enable HTTPS on your Salesforce Sites and Experience Cloud sites domains.

• Manage My Domain with Ease
  Easily rename and manage your Salesforce org’s My Domain. Improved Setup pages show your current My Domain login URL and any requested change to it, allowing you to quickly identify your org’s current state. You can cancel a requested My Domain change or the provisioning process. And for customers with more than one domain suffix option, you can choose your My Domain suffix and deploy the change.
• Improve Connectivity with Salesforce Edge Network
  Improve download times and the user experience by routing your My Domain through Salesforce Edge Network. As business becomes more global, users access your Salesforce data from all over the world. Salesforce Edge Network delivers a consistent user experience regardless of a user’s location.
• Test Custom Domains in a Sandbox (Generally Available)
  Custom domains allow you to use a domain that you own, such as https://www.example.com, to host your Salesforce org’s externally facing content through Salesforce Sites and Experience Cloud sites. To make sure that it’s ready for prime time, use Custom Domains in Sandbox to develop and test your custom domain before deploying it to production.
• Stop Redirects from Previous My Domain URLs
  To help you manage how users access your Salesforce org, you can now see if URLs for a previous My Domain are being redirected to your current My Domain. If you want to prevent redirects from those URLs, you can remove your previous My Domain. And if your previous My Domain name is different from your current My Domain name, you can move it to another org.
• Enable HTTPS on Your Domains
  To safeguard your data, Salesforce plans to disable HTTP-only domains by July 2021. Prepare for this change by moving your Salesforce Sites and Experience Cloud sites to HTTPS domains now.
• Deploy a My Domain (Previously Released Update)
  To use the latest features and comply with browser requirements, all Salesforce orgs must have a My Domain. Deploy one, or we assign one for you based on your company name. Because your My Domain affects all application URLs, we recommend that you test and deploy a My Domain before this update is enforced in Winter ’22. This update was first made available in Winter ’21.
• Stabilize URLs for Visualforce, Experience Builder, Site.com Studio, and Content Files (Update, Retired)
  This update has been retired. To remove instance names from your URLs, use enhanced domains.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=230&type=5

Simplify web session management for hybrid apps with the new OAuth 2.0 hybrid app flows. Other OAuth flow updates include an option to require client secrets during refresh token flows and an increased size limit for access and refresh tokens. Get more guidance and login metrics from the Multi-Factor Authentication Assistant. You can now monitor how your third-party identity providers authenticate users logging into your Salesforce org through OpenID Connect on the Login History page. And we renamed Identity Confirmation to Device Activation.

• Enable Hybrid Apps to Directly Manage Web Sessions
  Use the OAuth 2.0 hybrid app flows to avoid the complexity of managing web sessions for hybrid apps. With a typical user-agent or refresh token flow, a hybrid app sets requested domain cookies and bridges an access token into a web session. But the access token and web session aren’t connected in these flows. Instead you must track when the access and refresh tokens expire and when the web session expires, and then manually rebridge the session to avoid interrupted service. The OAuth 2.0 hybrid app flows connect the access and refresh tokens with the web session to give hybrid apps direct web session management.
• Require the Client Secret during the Refresh Token Flow
  You can configure connected apps to require client secrets during the OAuth 2.0 refresh token and hybrid refresh token flows. For web-server based apps that can protect client secrets, you can configure the connected app to require client secrets. But for apps that can’t protect client secrets, such as mobile apps or apps installed on a user’s computer, you can omit the client secret during the refresh token flow. If you don’t require a client secret during the refresh token flow and a connected app sends the client secret in the authorization request, Salesforce still validates it.
• Reduce Hybrid Mobile App Session Interruptions with a New Frontdoor.jsp Parameter
  To streamline how your org uses frontdoor.jsp to authorize hybrid app user sessions, use the directBridge2 parameter with the new OAuth 2.0 hybrid app token flows. After a user authenticates and starts a new session, the directBridge2 parameter directly passes the access token to the session ID cookie of the requested domain. This flow prevents interruptions when the refresh token flow is triggered because the hybrid app uses the same access token for both API calls and UI requests.
• Get More Guidance from the Multi-Factor Authentication Assistant
  To help with your multi-factor authentication (MFA) implementation, the Multi-Factor Authentication Assistant now provides access to an MFA Accelerator webinar and to login metrics in the Lightning Usage App. The Accelerator webinar replaces the User Authentication Trailhead module that was previously available in the Assistant.
• Monitor Login Metrics for Your Org’s Identity Services
  User login security is a cornerstone of protecting your data, and login metrics give you insight into user login activity. The new Login Metrics tab in the Lightning Usage App provides data for your org’s identity services, including multi-factor authentication (MFA) and single sign-on. If you’re implementing MFA, you can use login metrics to monitor MFA adoption. We also added MFA as a feature in the Salesforce Optimizer App to help you track the users who are (or aren’t) logging in with MFA.
• Monitor How Your Identity Providers Authenticate Your Users with Authentication Method Reference
  Get a better understanding of how your third-party identity provider (IdP) authenticates users logging into Salesforce through OpenID Connect (OIDC). Check the Authentication Method Reference column of your Salesforce org’s Login History to see which authentication methods are used.
• Easily Integrate Larger Access and Refresh Tokens for OpenID Connect
  The limit for access and refresh tokens is increased to 10,000 characters, which means you can now choose from more third-party identity providers to configure for Salesforce. Previously, the limit was 2,000 characters for each access token and 1,024 characters for each refresh token.
• Identity Confirmation Is Now Device Activation
  When your users log in from an unrecognized browser or application (device), the identity verification type required from them is now called device activation. Previously, we sometimes called it identity confirmation. Device activation more accurately reflects what happens and is the industry standard term.
• Manage Access to Login Flows with Profile Filtering
  To increase security, your users are now restricted from configuring login flows when you turn on Profile Filtering. With Profile Filtering enabled, your users need the View All Profiles permission to configure login flows.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=230&type=5

Simplify web session management with OAuth 2.0 updates. Manage My Domains more easily. New datasets help you analyze usage across Salesforce in the Event Monitoring Analytics app. And Security Center offers more hands-on ways to view your security data.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security.htm&release=230&type=5

This update has been retired. Salesforce won’t enable this update in all Salesforce orgs. Instead, you can choose when to restrict who can view record names in lookup fields with an opt-in setting on the Sharing Settings page.

When: This update has been retired and no longer appears on the Release Updates page in Setup.

How: To enable the opt-in setting, from Setup, in the Quick Find box, enter Sharing Settings, and then select Sharing Settings. Click Edit in the Organization-Wide Defaults area, then select Require permission to view record names in lookup fields.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_lookup_retired.htm&release=230&type=5

To better protect your Salesforce org’s data, you can restrict who can view record names in lookup fields and system fields, such as Created By and Last Modified By. If you enable the Require permission to view record names in lookup fields setting, users need Read access to these records or the View All Lookup Record Names permission to view this data. Previously, this behavior was set to be enforced in a release update, but instead the functionality is now an opt-in setting so you can enable it when it best suits your org.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: Admins have more control over what users see in records. If the Require permission to view record names in lookup fields setting isn’t enabled, users can view record names in lookup fields without Read access to those records.

After the Require permission to view record names in lookup fields setting is enabled, in Lightning Experience, users who don’t have Read access or the View All Lookup Record Names permission see the lookup field labels, but not the data in the fields.

In Salesforce Classic, users who don’t have Read access or the View All Lookup Record Names permission see an underscore in system user lookup fields. They also see the record ID in custom user lookup and non-user lookup fields.

How: To enable this setting, from Setup, in the Quick Find box, enter Sharing Settings, and then select Sharing Settings. Click Edit in the Organization-Wide Defaults area, then select Require permission to view record names in lookup fields.

Admins can enable the View All Lookup Record Name permission in custom profiles or permission sets. Only enable this permission for users who must see record names in all lookup and system fields, regardless of sharing settings. This permission only applies to lookup record names in list views and record detail pages.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_general_lookup_setting.htm&release=230&type=5

Control who can view record names in lookup fields with a new setting instead of a release update.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_custom_general.htm&release=230&type=5

Grant access to records with manual sharing in Lightning Experience and create more roles in your Salesforce org.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_sharing.htm&release=230&type=5