Critical Updates

This release includes a new critical update for email security. And we’re retiring the critical update that enforces stricter content security policy for Lightning components.

To ensure a smooth transition, each critical update has an opt-in period, which ends on the auto-activation date that’s displayed on the Critical Updates page in Setup. During this period, you can manually activate and deactivate the update as often as you need to evaluate the impact on your org and modify affected customizations. After the opt-in period has passed, the update is activated. For more details, see Respond to Critical Updates.

New Critical Updates

These critical updates are new in Winter ’19.

Improve Security for Sites and Communities by Restricting Record Access for Guest Users
To address potential security vulnerabilities, we applied a critical update to Salesforce sites and communities on October 5, 2018. This update removed default record access for guest users so that they can no longer create, read, update, or delete Salesforce records. You can give guest users access to your Salesforce records by editing your object permissions.
Improve Email Security with Redesigned DKIM Keys
To address potential security vulnerabilities with DomainKeys Identified Mail (DKIM) keys, we improved the way they’re created. You no longer have to mess around with public and private keys. Instead, Salesforce publishes the TXT record containing your public key to DNS. We also added automatic key rotation to reduce the risk of your keys becoming compromised by a third party. And, because sharing keys can introduce security vulnerabilities, we removed the ability to import DKIM keys.

Retired Critical Updates

The “Enable Stricter Content Security Policy for Lightning Components” critical update has been replaced by an org setting. For more information, see Stricter Content Security Policy (CSP) Changed from a Critical Update to an Org Setting.