Improve load times for authenticated site visitors through a new Visualforce page caching option. Update your site guest users to the latest license. Secure HTTPS connections are enforced for third-party domain connections, and you can decide what types of cookies are allowed on your Salesforce Sites.

• Cache Your Site’s Visualforce Pages for Authenticated Users
  Improve your authenticated users’ experience by caching your site’s Visualforce pages on their web browsers to reduce page load times. By default, proxy servers cache publicly available pages only for unauthenticated guest users. Now you can disable that proxy server caching and determine whether to cache each page on the end user’s web browser instead. The page-specific caching applies to authenticated and unauthenticated users.
• Update Site Guest Users to the Latest License
  Some Experience Cloud sites and Salesforce Sites created before the Spring ’21 release can have an outdated license associated with the site’s guest users. If your site’s guest users have the standard guest user license, update them to the provisioned guest user license, which gets updated automatically and has more consistent permissions.
• Secure HTTPS Connections to Third-Party Domains Are Enforced
  HTTPS connections are required to connect to third-party domains, and HTTP connections are no longer permitted. The Require secure connections (HTTPS) for all third-party domains setting on the Session Settings Setup page was removed because it can’t be disabled. The Require secure connections (HTTPS) setting was also removed because it was previously enabled and can’t be disabled.
• Set Preferences for Allowed Cookies for Salesforce Sites
  A new Salesforce Sites setting lets you decide what types of cookies are allowed on your site by default.
• View Source IP Addresses in Your Private Connect Inbound Connections
  You can now easily view the ranges of source IP addresses allocated to your inbound network connections by the Salesforce Transit VPC in your cloud provider, such as AWS. Use these IP addresses with Salesforce security features to get more protection. For example, you can specify that users can log in from these IP addresses without receiving a login challenge. Or add these source IP addresses to the list of restricted addresses that users can access Salesforce from.
• Private Connect Is HIPAA Compliant
  Your Health Insurance Portability and Accountability Act (HIPAA)-regulated Salesforce customers can now use Private Connect and maintain HIPAA compliance by signing the Salesforce Business Associate Addendum (BAA). Regulated Health Care Salesforce customers can rest assured that their customer data, including electronic protected health information (ePHI), is accessible exclusively through the private internet.
• Add More Trusted Domains for Inline Frames
  You can now add up to 512 domains where you allow iframes of your Visualforce pages, site pages, surveys, or embedded services. Previously, the limit was 256 domains.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=232&type=5

New date range fields on metric detail pages give you flexibility over which metric details you see at once. And Security Center now integrates with Event Monitoring Threat Detection (beta). You can see the total number of events per threat type, along with detailed information about each threat event without leaving the Security Center app. Threat event metrics update in near real time, offering you a more timely and complete view of your security posture.

• Monitor Security Threats to Your Environment with Threat Detection (Beta)
  Quickly get a summary of all possible detected threat events in your connected tenants. The Threat Detection app monitors your tenants for four types of security threats and provides information to you in near real time, in a single, aggregated view.
• Pick a Date Range to View Metric Changes Over Time
  View changes to metric details that occurred during a chosen range of dates. This change allows you to see metric trends and changes over time not previously available with the single-day view.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_sc.htm&release=232&type=5

Use the new Real-Time Event Monitoring Permission Set Event (generally available) to monitor permission changes and even make Transaction Security policies for user permissions. The APITotalUsage event log file type helps you track unused API versions. And the new USER_TYPE field helps identify if users associated with events are authenticated or guest users. Shield Platform Encryption now supports the User Email field (beta) and contact point fields.

• Shield Platform Encryption
  By popular demand, Shield Platform Encryption for User Email (beta) offers an extra layer of protection for user emails used throughout your Salesforce deployment. You can also encrypt addresses, email addresses, and phone numbers for the points of contact associated with individual and person accounts.
• Event Monitoring
  Some Event Log File types now include a USER_TYPE field to help you identify whether users associated with events are authenticated or guest users. The new API Total Usage event type gives admins insights into which orgs use retired API versions. And, use the Security Center app to review metrics about Threat Detection events (beta).

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=232&type=5

Deploy a My Domain, and enable enhanced domains to meet the latest browser requirements. Improve Search Engine Optimization (SEO) by redirecting your site traffic to your custom domain. Secure HTTPS connections are enforced and HSTS preloading is recommended for your domains.

• Enable Enhanced Domains (Update)
  To comply with the latest browser and security standards, enable enhanced domains on your Salesforce org’s My Domain. With enhanced domains, your company-specific My Domain name is included in your URLs, including Salesforce Sites and Experience Cloud sites. Consistent domain formats improve the user experience and standardize URLs for use in custom code and API calls. Salesforce enhanced domains also comply with the latest browser requirements, allowing your users to access Salesforce using browsers that block third-party cookies. Because this update affects application URLs, including Experience Cloud sites, Salesforce Sites, and Visualforce pages, we recommend that you enable enhanced domains before it’s enforced in Summer ’22.
• Redirect Site Traffic to Your Custom Domain
  Improve your custom domain’s Search Engine Optimization (SEO) by redirecting requests for your site’s system-managed URL to the HTTPS custom domain, such as https://example.com, that serves the site. System-managed site base URLs end in .force.com, .my.salesforce-sites.com, or .my.site.com. Redirecting traffic from these URLs to your branded domain improves the user experience and helps search engines properly rank your custom domain.
• Secure HTTPS Connections Are Enforced in Domains
  To better protect your data, Salesforce disabled HTTP-only domains. Settings that enforce HTTPS connections or upgrade HTTP requests were enabled and then removed in Summer ’21 because they’re required and enforced by default. We also renamed our non-HTTPS domain configuration option to reflect that it’s for temporary use only.
• Allow Only Secure Connections to Your Domain with HSTS Preloading
  As a security best practice, enable and submit your domain for HTTP Strict Transport Security (HSTS) preloading so that HTTPS connections are always used in supported browsers. Currently, all HTTP requests are redirected to HTTPS. However, connections are still vulnerable during that redirection.
• Deploy a My Domain (Previously Released Update)
  To use the latest features and comply with browser requirements, all Salesforce orgs must have a My Domain. Deploy one, or we assign one for you based on your org ID. Because your My Domain affects all application URLs, we recommend that you test and deploy a My Domain before this update is enforced in Winter ’22. This update was first made available in Winter ’21.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=232&type=5

Identity and Access Management provides you with an upgraded version of the Multi-Factor Authentication Assistant, which includes a step that helps you preview multi-factor authentication (MFA) during your evaluation period. Other improvements include updates to OAuth 2.0 flows and connected app access to Customer Data Platform (CDP) ingest API services. And you can secure email address updates by requiring password resets. Customer 360 Identity provides extra customer protection with secure Embedded Login redirects and verification of email address updates. We‘re deprecating Identity Connect 2.1 and Identity Connect 3.0.1.2. You can upgrade to Identity Connect 7 when it’s released later this spring. In the Winter ‘22 release, Salesforce is increasing the length of one-time passwords to improve security.

• Manage Your Customer Identities in a Central Location with Salesforce Customer Identity Plus
  Salesforce Customer Identity Plus brings together the power of Salesforce and Auth0’s identity-as-a-service SaaS to deliver our latest consumer identity and access management (CIAM) solution. With Customer Identity Plus, connect to all of your customers, apps, and products by managing customer identities centrally for Commerce Cloud, Sales Cloud, and third-party applications. Customer Identity Plus makes identity configuration easy through simple clicks and SDKs that can seamlessly integrate an identity layer into existing applications. And if you want customization capabilities, Customer Identity Plus gives you full control over design and authentication flows.
• Get More Guidance from the Multi-Factor Authentication Assistant
  The Multi-Factor Authentication Assistant now includes a step that helps you preview multi-factor authentication (MFA) during your evaluation period. While you’re getting ready to roll out MFA for Salesforce, we recommend turning it on for a few of your Salesforce champions. Conducting a preview or pilot with some trusted users lets you test the rollout process and collect early feedback on the MFA user experience. Use these insights to ensure there are no gaps in your rollout or change management plans. You can also determine the kinds of onboarding materials your users need when you’re ready to launch MFA more broadly.
• Get Assigned Scopes with Access Tokens in the OAuth 2.0 JWT Bearer Flow
  With the OAuth 2.0 JWT bearer flow, for connected apps that are preauthorized, standard and custom scopes are automatically returned with an access token. Previously, only standard scopes or scopes issued with former access tokens were returned.
• Improve Performance Times of the OAuth 2.0 Hybrid App Flows
  Improve performance times of the OAuth 2.0 hybrid app flows by directly bridging an access token into a web session without using frontdoor.jsp. With the hybrid app token flow, a hybrid app sets the domains’ associated SIDs in the session cookies. It then directly bridges its own web session. During the hybrid refresh token flow, when a new access token is granted, the hybrid app receives updated domain SIDs. It can directly reset the session cookies and avoid interruptions.
• Give Authorized Access to Salesforce CDP Ingestion API Data
  To authorize a connected app to access Salesforce CDP Ingestion API data, assign it the new OAuth scope: Access and manage your Salesforce CDP Ingestion API data. Customers can use the associated external app to upload and maintain external data sets in the Salesforce CDP platform.
• Redirect Expired Tabs to a Custom Logout URL
  For Salesforce sessions, you can now redirect all expired tabs in your browser to a custom logout URL. Previously, the redirect URL wasn’t applied to all expired tabs. Instead, only one tab was being redirected correctly, and the other tabs were redirected to Salesforce.com.
• Require Password Changes for Email Address Updates
  You can now require a user to change passwords before an admin-initiated email address update is approved. To quickly update your users’ email addresses, you can change email addresses without requiring a password reset. But, for better security, you can require users to change their passwords before email address updates are approved.
• Require Verification When Experience Cloud Users, Partners, and Customers Change Their Email Address (Update, Enforced)
  To protect user accounts against security threats, Salesforce now requires Experience Cloud users, partners, and customers to verify their email address changes. This update, first available in Winter ’21, was scheduled for auto-enforcement in Spring ’21, but was postponed to and is enforced in Summer ’21.
• Block Customer Redirects to Unknown URLs
  Protect your customers with a new Embedded Login setting that blocks redirects to unknown URLs. After customers successfully log in to your Experience Cloud site with Embedded Login, they’re redirected to URLs that are located in the same host or domain as the site or that are allow-listed.
• Identity Connect 2.1 and Identity Connect 3.0.1.2 Are Being Deprecated
  As of the Winter ’22 release, we’re deprecating Identity Connect 2.1 and Identity Connect 3.0.1.2, and you can no longer download these versions of the product. We recommend that you upgrade to Identity Connect 7 when it becomes available.
• One-Time Passwords Are Getting Longer in Winter ’22
  In Winter ’22, to improve security, Salesforce is increasing the length of one-time passwords (OTPs) used for identity verification from five digits to six digits. If you have customizations that rely on six-digit OTPs, such as custom Apex implementations for multi-factor authentication (MFA) or passwordless login, change them before the Winter ’22 release.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=232&type=5

Preview Multi-Factor Authentication Assistant behavior before you deploy it. URL redirects and OAuth 2.0 flows are more secure and efficient. You can now update users’ email addresses more easily and securely. HTTPS is required for Salesforce domains, and enhanced domains meet browser security requirements. Encrypt the User Email field (beta). Learn more about API version use with the new API Total Usage event type. Security Center now integrates with Threat Detection (beta). For sites, improve page load times with caching and update guest user licenses.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security.htm&release=232&type=5

This update converts the Read Only standard profile to a custom profile, which allows you to edit permissions in this profile as your business needs require. This update was first available in Spring ’21 and is enforced in Summer ’21.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

When: This update was first available in Spring ’21 and is enforced in Summer ’21. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: The Read Only standard profile allowed assigned users to view setup, run and export reports, and to view, but not edit, other records. As Salesforce products and offerings expanded, permissions that grant implicit or explicit edit access were added to this profile to allow Salesforce features to function.

To let you customize the Read Only profile to fit your risk tolerance and definition of read only, this update converts the Read Only standard profile to a custom profile. After this update is enforced, you can edit the Read Only custom profile to remove or add permissions as your business needs require. You can also rename the profile, for example, to reflect what it permits or who it’s assigned to.

As part of this change, Essentials editions can create up to two custom profiles and Professional editions can create up to three custom profiles. The converted custom Read Only profile counts towards this limit.

How: Before this update is enforced, review the permissions included in the Read Only profile. Evaluate whether you want the users assigned to the Read Only profile to continue to have the included permissions. You can see a full list of included permissions in the knowledge article, Read Only Profile Conversion to Custom Profile.

After you review the permissions, decide whether to reassign your users to a new profile or to use the existing Read Only profile without reassigning your users. If you continue to use the existing Read Only profile, update your custom code to reference the correct name of the Read Only standard profile after it’s converted to make sure that your configurations and deployments remain intact.

To review this update, from Setup, in the Quick Find box, enter Release Updates, then select Release Updates. For Convert the Read Only Standard Profile to a Custom Profile, follow the testing and activation steps.

New Salesforce orgs created in Spring ’21 and later don’t have the Read Only profile. We recommend that you start with the Minimum Access standard profile as a least-privilege profile base, and assign custom permission sets to grant this user the Read access required by your business needs.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_read_only_enforced.htm&release=232&type=5

Enable Permission Set Group Assignments with Expiration Dates (beta) to use an updated user interface that includes an assignment expiration option. The option appears on the User Management Settings page in Setup.

Where: This change applies to Lightning Experience and Salesforce Classic in Essentials, Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com editions.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_user_mgmt_perm_expire.htm&release=232&type=5

When assigning users to a permission set or permission set group, select expiration dates that you specify. Control when a user’s permissions expire based on your business requirements.

Where: This change applies to Lightning Experience and Salesforce Classic in Essentials, Contact Manager, Professional, Group, Enterprise, Performance, Unlimited, Developer, and Database.com editions.

Why: Suppose a sales manager needs consultants to evaluate language used in sales contracts. You give the consultants access to the Contracts object and other permissions via a permission set group so that they can perform their work. The project has an end date, so you don’t want contractors to access sales contracts after that date. Set the expiration date and time zone for the permission set group when you assign it to users.

How: You can set an expiration date for a permission set or permission set group using the API.

To use the user interface with assignment expiration options for permission set groups, enable Permission Set Group Assignments with Expiration Dates (Beta) in User Management Settings. Then, when you assign users to a permission set group, select the expiration options that you want. You can also select no expiration date as an option.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_expire.htm&release=232&type=5

Working with permissions keeps getting better and more flexible with user assignments that expire. And the Read Only standard profile is converted to a custom profile now.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions.htm&release=232&type=5