Salesforce Security Health Check
It is always essential that checking our salesforce org’s security health check to monitor. Based on the percentage of security, we can comment on how better we are compliant.
A summary score shows how your org measures against a security baseline, like the Salesforce Baseline Standard.
The Health Check score is calculated by a proprietary formula that measures how well your security settings meet either the Salesforce Baseline Standard or your selected custom baseline. Settings that meet or exceed compliance raise your score, and settings at risk lower your score.
There are four risk categories: High-Risk, Medium-Risk, Low-Risk, and Informational. The risk categories affect your Health Check score, with High-Risk settings counting the most, Low-Risk settings counting the least, and Medium-Risk settings, well, they’re in the middle. Settings in the Informational category do not factor into your Health Check score. For details, see Salesforce Baseline Standard.
How it calculates?
If all settings meet or exceed the standard, your total score is 100%. As you update your settings, your green bar moves to the right!
Your grade is based on your score.
- 90% and above = Excellent
- 80%–89% = Very Good
- 70%–79% = Good
- 55%–69% = Poor
- 54% and below = Very Poor
How to Check?
From Setup, enter Health Check in the Quick Find box, then select Health Check.
In the baseline dropdown
(1), choose the Salesforce Baseline Standard or a custom baseline. The baseline consists of recommended values for High-Risk, Medium-Risk, Low-Risk, and Informational Security Settings (2). If you change settings to be less restrictive than what’s in the baseline, your health check score (3) and grade (4) decreases.
Your settings are shown with information about how they compare against baseline values (5). To remediate a risk, edit the setting (6) or use Fix Risks (7) to quickly change settings to your selected baseline’s recommended values without leaving the Health Check page. You can import, export, edit, or delete a custom baseline with the baseline control menu (8).
Note: Use a valid XML file with only English language characters. The file cannot be larger than 20 KB. Make sure that each value is surrounded by quotation marks. Be careful not to delete any of them when editing the file.
The Salesforce Baseline Standard
The following are the settings, risk levels, and values from the default Salesforce Baseline Standard. If you are using a custom baseline, your information differs.
High Risk Security Settings
| SETTING | COMPLIANT VALUE | WARNING VALUE | CRITICAL VALUE |
|---|---|---|---|
| Lock sessions to the domain in which they were first used | Checkbox selected | N/A | Checkbox deselected |
| Enable the SMS method of identity confirmation | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for Setup pages | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for non-Setup for Salesforce pages | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for customer VisualForce pages with standard headers | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for customer VisualForce pages with headers disabled | Checkbox selected | N/A | Checkbox deselected |
| Enable CSRF protection on GET requests on non-setup pages | Checkbox selected | N/A | Checkbox deselected |
| Enable CSRF protection on POST requests on non-setup pages | Checkbox selected | N/A | Checkbox deselected |
| Require Secure Connections (HTTPS) | Checkbox selected | N/A | Checkbox deselected |
| Require HttpOnly attribute | Checkbox selected | Checkbox deselected | N/A |
| Require secure connections (HTTPS) for all third-party domains | Checkbox selected | Checkbox deselected | |
| Number of security risk file types with hybrid behavior | No security risk file types have hybrid behavior enabled | One or more security risk file types has hybrid behavior enabled | N/A |
| Maximum invalid login attempts | 3 | 5, 10 | No Limit |
| Number of expired certificates | No certificates have expired | One or more certificates have expired | N/A |
Medium Risk Security Settings
| SETTING | COMPLIANT VALUE | WARNING VALUE | CRITICAL VALUE |
|---|---|---|---|
| Require a minimum 1 day password lifetime | Checkbox selected | Checkbox deselected | N/A |
| Force relogin after Login-As-User | Checkbox selected | N/A | Checkbox deselected |
| Enforce login IP ranges on every request | Checkbox selected | Checkbox deselected | N/A |
| Enable Content Security Policy protection for email templates | Checkbox selected | N/A | Checkbox deselected |
| Enable XSS protection | Checkbox selected | N/A | Checkbox deselected |
| Enable Content Sniffing protection | Checkbox selected | N/A | Checkbox deselected |
| Administrators Can Log In As Any User | Checkbox deselected | Checkbox selected | N/A |
| Enforce password history | 3 or more passwords remembered | 1 or 2 passwords remembered | No passwords remembered |
| Minimum password length | 8 | 6 or 7 | 5 or less |
| User passwords expire in | 90 days or less | 180 days | One year or Never expires |
| Password complexity requirement | Must mix alpha, numeric, and special characters, or more complex | Must mix alpha and numeric characters | No restriction |
Low Risk Security Settings
| SETTING | COMPLIANT VALUE | WARNING VALUE | CRITICAL VALUE |
|---|---|---|---|
| Obscure secret answer for password resets | Checkbox selected | Checkbox deselected | N/A |
| Force logout on session timeout | Checkbox selected | Checkbox deselected | N/A |
| Require identity verification during two-factor authentication registration | Checkbox selected | N/A | Checkbox deselected |
| Require identity verification for change of email address | Checkbox selected | N/A | Checkbox deselected |
| Remote Site | No remote sites with the Disable Protocol Security option selected | At least one remote site created with the Disable Protocol Security option selected. | N/A |
| Password question requirement | Cannot contain password | None | N/A |
| Timeout Value | 2 hours or less | 4, 8, or 12 hours | Checkbox deselected |
| Lockout effective period | 30 minutes or greater | Less than 30 minutes | N/A |
Informational Security Settings
Informational Security settings do not affect your Health Check score, but are valuable to review.
| SETTING | COMPLIANT VALUE | WARNING VALUE | CRITICAL VALUE |
|---|---|---|---|
| Days until certificate expiration | No certificates created, or all certificates have more than 180 days until expiration | Less than 180 days but more than 15 days until expiration of at least one certificate | Less than 15 days until expiration of at least one certificate |
| Enable HSTS for all Sites and Communities with the default force.com subdomain that require a secure connection (HTTPS) | Checkbox selected | N/A | Checkbox deselected |
| Key Size | All certificates have a key size of 4096 | At least one certificate has a key size of 2048 | N/A |
Example
Thanks for Reading…