function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Restrict web2leads to one referring domain for security?

Hopefully I'm posting this message in the right place.
Configuring web2lead for various forms for our website I can see that simple local test code can successfully post leads into salesforce.
This seems to be an almighty 'hole' which makes it very easy for someone to write something nasty to fill our system with rubbish, as a simple 'view source' in a browser containing one of our web2lead forms would give them everything they need....
Is there a way to configure salesforce's web2lead servlet to only accept leads that come from a specific domain(s) or specific urls to stop this potential nightmare ???
Ron HessRon Hess
no, there is no configuration to block the web2lead incoming process.

you can mass-delete leads if the problem gets out of hand.

Really? I'm a bit surprised this isn't a feature. It leaves it wide open to abuse and sabotage.

Also its a bit surprising that 'delete' isn't an available action from the leads screen.

Ron HessRon Hess
delete button on leads does exist, it may have been hidden from your page layout or profile permissions.

here is the posting on idea exchange where you can vote for this feature to be built.

Web 2 Lead & webform spam

also read the responses, there are some ideas and options to consider.


Nope, the delete button doesn't exist on the lead screen as I described, there IS a delete button next to each individual lead, but you can't 'flag' multiple leads ready for an action then use a 'delete' action because there isn't one.

I meant that I am surprised that you can't protect your web to lead feature to only accept posts originating from your selected domain(s), ie. your website and from nowhere else.

No doubt it will become a feature once a few people get their salesforce leads filled up with rubbish by an interfering party. Would be better to have a feature that eliminated this possiblity from happening in the first place.

You should try to use FormVester for AppExchange instead of the default salesforce, web2lead functionnality. The application allows to generate new leads in salesforce from any of you existing online forms. Simply insert a javascript snipet code in your website pages to make it work. That way, a 'view source' with a browser would only give the snippet code visible, nothing else.
FormVester also has a deduplicate function, so that it always checks if the lead already exists in salesforce before generating it. If the lead already exists, the lead is simply updated.

Hope it can help. - Look for FormVester on the appexchange.