The CORS allowlist now supports browser extension requests to Salesforce REST resources. Prevent data loss and recover quickly from incorrect data updates or integration errors with the new Backup and Restore feature.

• Prevent Data Loss with Backup and Restore (Generally Available)
  Protect your organization from permanent data loss and corruption by automatically generating backups. With just a few clicks, your data is backed up and can be restored quickly in the event of integration errors, malicious attempts, or incorrect data updates. Use Backup & Restore to prevent data loss, recover from data incidents quickly, and simplify your overall data management strategy.
• Share Resources with Browser Extensions
  Add browser extensions to your cross-origin resource sharing (CORS) list to allow requests for Salesforce REST resources. Previously, the CORS allowlist supported only websites and IP addresses. For example, you can now allow an appointment management browser extension to view and work with your Salesforce records. Browser extensions that aren’t on your CORS allowlist are blocked from requesting resources.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_other_changes.htm&release=234&type=5

Centralized Threat Detection is now generally available. Create in-app and email alerts to instantly learn about changes to security settings that you want to monitor. Parse metric data with filters for the results view.

• Monitor Security Threats with Centralized Threat Detection (Generally Available)
  The Threat Detection integration powered by Event Monitoring for Security Center is now generally available. Let machine learning identify and provide data on four types of threats across your connected tenants in real time.
• Create Alerts for Changes to Your Security Configuration
  Automate security monitoring by setting up in-app and email alerts for conditions of your choosing. Indicate what changes you want to be alerted of, how you want to be alerted, and who receives the alert.
• Explore Metric Data with Detail View Filters
  Quickly find information you need by applying filters to metric detail pages.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_security_center.htm&release=234&type=5

Shield Platform Encryption offers support for more Financial Services Cloud fields. Event Monitoring delivers better Transaction Security notification emails and four new Event Log File types. You can append only new data to Event Monitoring Analytics app datasets for more efficient updates (beta). Get more granular control over Field Audit Trail retention policies. And Einstein Data Detect (generally available) joins the Shield family, offering a faster way to find sensitive data no matter where it’s entered into your org.

• Einstein Data Detect
  The newest addition to the Shield family, Einstein Data Detect finds sensitive data across your org and helps you plan your next security and privacy steps.
• Event Monitoring
  Transaction Security email notifications contain more trigger event detail. Append only new data to Event Monitoring Analytics app datasets for more efficient daily dataset updates (beta). New event log file types help you analyze flow trends, monitor CORS violation records, audit installed managed packages that use named credentials, and monitor Bulk API 2.0 usage and performance.
• Field Audit Trail
  When you set a retention policy on an object, Salesforce no longer sets the same policy for a different object with a similar key prefix.
• Shield Platform Encryption
  Bring even more security to Financial Services Cloud data with encryption at rest for deal and interaction fields.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_shield.htm&release=234&type=5

Changes to the Consent Data Model include new objects that allow you to create multiple brands and relationships in one Salesforce org. Enhancements to the existing Portability Policy feature make navigation more user-friendly.

• Track Consent Preferences for Multiple Brands
  Store customer consent preferences for multiple brands that exist in one Salesforce org. Use the Business Brand object to identify different brands that share a parent brand. Then use the Customer and Seller objects to define unique relationships to these brands.
• Manage Portability Policies with Feature Enhancements
  The Portability Policy dashboard you already know and love has new functionalities. Now you can activate, edit, and delete inactive policies, run policies directly from the dashboard, use the search function in the Portability Log, and more.
• Hard Delete Records in Privacy Center
  You can now hard delete records when running a retention or RTBF policy. When you enable the Hard Delete option, the record isn’t placed in the recycle bin, which requires a wait period of 15 days before deleting or manually emptying the recycle bin.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_privacy_center.htm&release=234&type=5

Salesforce Identity and Access Management now supports built-in authenticators, tracking of enforced multi-factor authentication (MFA) challenges, and Identity Connect 7.1. Prepare for the upcoming MFA requirement with the MFA Rollout Pack. For Salesforce Customer Identity, benefit from a new email template that provides consistent branding and control over customer communications.

• Salesforce Identity for Your Employees
  Users can now register biometric built-in authenticators, such as Touch ID, Face ID, and Windows Hello. You can monitor which users register built-in authenticators and when they use them. As you prepare for the multi-factor authentication (MFA) requirement, check out the MFA Rollout Pack for customizable templates. Also, users are no longer subject to MFA challenges in Salesforce when they log in through an authentication provider that supports single sign-on. And you can track enforced MFA challenges with four new verification history fields in users reports. For increased security, configure forced authentication when Salesforce is acting as a SAML identity provider. Salesforce now prevents users from logging in with a username and password as GET query string parameters to the login URL. Upgrade to Identity Connect 7.1 as soon as possible because Salesforce no longer supports downloads for Identity Connect 2.1 and Identity Connect 3.0.X.X. For improved functionality, customize the way your JIT handler processes user information, include refresh tokens in the OAuth 2.0 user-agent flow, and authorize additional access to Salesforce CDP data.
• Salesforce Identity for Your Customers
  Maintain consistent branding for your site and control customer communications with the Device Activation email template. When you’re using Apex to manage identity verification for Experience Cloud sites, guarantee that self-registration verification messages are sent in the right language. To improve privacy and security, we shortened durations of the lloopch_loid and hideIdentityDialog cookies and increased the length of one-time passwords.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_auth_and_identity.htm&release=234&type=5

All Salesforce orgs must have a My Domain. Enable enhanced domains to meet the latest browser requirements. Restrict users’ email domains and require SOAP API calls to log in with My Domain. And we’re moving custom domains that serve Experience Cloud sites to Salesforce Edge Network.

• Deploy a My Domain (Release Update)
  To use the latest features and comply with browser requirements, all Salesforce orgs must have a My Domain. Deploy one, or we assign one for you based on your org ID. If you prefer to use a different My Domain name, you can change it. Because your My Domain affects all application URLs, we recommend that you test and deploy a My Domain before this update is enforced. This update was first made available in Winter ’21 and is enforced in Winter ’22.
• Enable User Email Domain Restrictions
  To restrict the email domains allowed in a user’s Email field, enable the email domain allowlist. Previously, you contacted Salesforce Support to enable this feature.
• Require SOAP API Calls to Log In with My Domain
  By default, SOAP API calls can log in with a generic Salesforce login URL, such as https://login.salesforce.com, or your My Domain login URL, such as https://mycompany.my.salesforce.com. To further restrict access to your org, require that SOAP API logins use your My Domain login URL.
• Prepare for Your Custom Domain to Use Salesforce Edge Network
  To deliver a consistent user experience regardless of a user’s location, Salesforce is migrating custom domains that serve Experience Cloud sites to the Salesforce Edge Network infrastructure. To prepare, update your allowlists to include the latest Salesforce IP ranges.
• Enable Enhanced Domains (Release Update)
  To comply with the latest browser and security standards, enable enhanced domains on your Salesforce org’s My Domain. With enhanced domains, your company-specific My Domain name is included in your URLs, including Salesforce Sites and Experience Cloud sites. Consistent domain formats improve the user experience and standardize URLs for use in custom code and API calls. Salesforce enhanced domains also comply with the latest browser requirements, allowing your users to access Salesforce using browsers that block third-party cookies. Because this update affects application URLs, including Experience Cloud sites, Salesforce Sites, and Visualforce pages, we recommend that you enable enhanced domains before this update is enforced. This update was first made available in Summer ’21.
• Domain HTTPS Option Was Renamed
  The domain HTTPS option, Salesforce serves the domain over HTTPS using a Salesforce content delivery network (CDN) partner and a shared or single HTTPS certificate, was renamed. It’s now called: Salesforce serves the domain over HTTPS using a Salesforce content delivery network (CDN) partner.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security_domains.htm&release=234&type=5

To comply with browser requirements, you must have a My Domain, or we deploy one for you. Verify your identity with biometric built-in authenticators. To help you prepare for the multi-factor authentication (MFA) requirement, use the MFA Rollout Pack. Enjoy a more intuitive consent data model and Portability Policy dashboards. Event Monitoring includes four new event log file types and more detailed Transaction Security policy notification emails. Encrypt more Financial Services Cloud data at rest. Find sensitive data across your org with the new Einstein Data Detect managed package (generally available). And Threat Detection integration with Security Center is now generally available, along with customizable alerts for monitoring security configuration changes.

https://help.salesforce.com/s/articleView?id=release-notes.rn_security.htm&release=234&type=5

The DeveloperName field has new permission requirements for multiple Salesforce objects and types across various APIs. Following the Winter ’22 release, some users can lose access to the DeveloperName field on objects that they typically interact with. To view, group, sort, or filter the DeveloperName field on affected API objects, you must have View Setup and Configuration OR View DeveloperName permission.

Where: This change applies to all editions.

How: Restore access by giving users the View Setup and Configuration OR View DeveloperName permission via a profile or permission set. For a list of affected objects and types, see the related knowledge article.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_grant_access_developername_field.htm&release=234&type=5

You can now view and update current assignment expirations for your permission sets and your permission set groups. Previously, to update assignment expirations, you recreated them with the correct expiration date.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions.

Why: Suppose a sales manager wants consultants to evaluate the language used in sales contracts. You give the consultants access to the contracts object and other permissions via a permission set group so that they can perform their work. The project has an end date, so you don’t want contractors to access sales contracts after that date. Set the expiration date for the permission set group when you assign it to users. If the project end is extended, edit the expiration date for the permission set group to the new date.

How: Enable Permission Set Group Assignments with Expiration Dates (Beta) in User Management Settings. Then from either the Permission Set Group or Permission Set page, click Manage Assignment Expiration. On the Current Assignments page, you can view a list of the users that are assigned to the permission set or the permission set group. To create a user assignment, click Add Assignment. To modify the expiration date of existing assignments, click . To remove an assignment, click .

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_manage_assignment_expiration.htm&release=234&type=5

It’s easier to configure custom profiles to have the permissions you need. Use the Profile SOAP API object to create custom profiles that start without any permissions enabled. Previously, to create a custom profile, you cloned an existing profile in Setup and then removed permissions that you didn’t want the assigned users to have. The Profile Metadata API type functions as before.

Where: This change applies to Lightning Experience and Salesforce Classic in Professional, Enterprise, Performance, Unlimited, and Developer editions.

How: Use the create() call on the Profile SOAP API object and specify the Description, Name, and UserLicenseId fields. You can enable permissions using the API or, after the profile is created, on the profile’s page in Setup. Required permissions for the profile’s user license are automatically enabled.

https://help.salesforce.com/s/articleView?id=release-notes.rn_forcecom_permissions_profile_create.htm&release=234&type=5