Hotlinks may be embedded within an email and generated at run time. Typically these are used to view or edit the record from which they were sent. For example, the email may contain text like the following:
This issue has been assigned to you. To edit it, click here.
These hotlinks are automatically encrypted by the system, so it is not possible to obtain the user's login or password from them. However, if the email should fall into the hands of a malicious user, they can still be used to edit the record.
There are two levels of protection against this possibility:
The generally recommended option is to use Setup > Access > Configure Hotlinks to specify that the user must enter their password and/or login/password the first time that they use a hyperlink from a particular device, such as a PC or tablet. This prevents anyone else from using the hotlink unless they also have access to that workstation or the login information. The second option is to use Setup > Access > Configure Hotlinks to specify that the user must enter their password every time they use an email hyperlink. This requires additional effort from the user each time.
It is also possible to construct a hotlink manually, as described in Hyperlinks. Manually constructed hyperlinks can be encrypted and given an expiration date/time by navigating to Setup > Access > Automatic Login Hotlinks.
secureHotlink(url) function which encodes URLs for action buttons to hide the password from browsers. The function treats a URL as a hotlink, retrieves the project name from it, retrieves the public key for it and encrypts the URL as secured hotlink. For example:
is parsed as:
If the target server is unavailable for some reason, or the KB details are wrong, an empty URL will be returned as the secure hotlink, as the key could not be retrieved for encryption.