Security Best Practices

Codey waving and Astro wearing his backpack in the forest

Cybersecurity is a shared responsibility. While Salesforce builds security into everything we do and provides the necessary tools and resources to protect your data, it is also up to you to implement security controls and best practices to further strengthen the security of your Salesforce instance.

Get Started with Security

Illustration of the security dashboard

Whether getting started with Salesforce or strengthening your security posture, implementing these security best practices will help you protect yourself, your data, and your business.

  • Run Security Health: Built on Salesforce’s core platform, Health Check is a free tool that allows admins to manage their org’s security settings, identify and fix potentially vulnerable security settings, and create custom baseline standards aligned with the needs of your business. Learn more about Health Check.

  • Enable multi-factor authentication (MFA): MFA adds an extra layer of protection against common threats like phishing attacks, credential stuffing, and account takeovers. Implementing MFA is one of the most effective ways your company can increase the security of your Salesforce data. Learn more about MFA at Salesforce.

  • Evaluate User Privilege: Permission sets are a powerful way to control access — and increase security — within your org. To evaluate, first, identify the job functions, tasks, and processes critical to your users and define permission sets appropriately. Then, remove high-risk permissions from profiles and add them back to users as necessary through permission sets. Learn more about permission sets.

Beware of Phishing Emails

Phishing scams use fraudulent emails to get users to reveal confidential information by installing malware to capture information.

Train and Educate Your Users

Educate users about security so they understand the importance of keeping your Salesforce org secure, and encourage a culture of security.

Report Security Concerns

Unsure about whether a Salesforce email is legitimate? Forward a copy of the suspicious email as an attachment to Salesforce Security.

Securely Manage and Monitor Access

As a security advocate, understanding and using Salesforce security tools and resources allows you to play a critical role in safeguarding your company’s data, maintaining security standards, and meeting compliance requirements. 

  • Apply the principle of least privilege: Following the principle of least privilege means only granting users, devices, applications, and systems the minimum privilege they need to do their job. Limiting users’ permissions prevents unauthorized access to sensitive information, and can significantly reduce an organization’s security risk. Learn more about how to protect data with the principle of least privilege.

  • Set login ranges and trusted IPs: Restricting access through IP addresses helps protect data from unauthorized access and phishing attacks. By setting login IP ranges, admins can define a range of permitted IP addresses – ensuring unidentified or non-trusted Ips are denied or challenged to verify their identity. Learn how to restrict login IP addresses for Salesforce. 

  • Ensure a secure connection: Consistently using a virtual private network (VPN) can help make your internet connection more secure. In addition, using a router’s administrator console to enable encryption (use WPA2 or WPA3) and updating firmware can help keep foreign devices off your network. Learn more about how to secure your internet use

  • Salesforce Authenticator: Salesforce Authenticator offers a smart, simple two-factor authentication solution that enhances the security of your Salesforce deployment without sacrificing user experience. With a single tap on their mobile device, employees can approve logins and other actions, even verifying automatically from trusted locations. Learn more about Salesforce Authenticator

Illustration of laptop, locks, keys, and people

Advanced Tools to Build Apps and Secure Data


Salesforce offers a number of advanced security tools and resources to help you test and review your security posture, track and manage your security scans, and develop secure code and web apps.   

  • Salesforce Well-Architected Secure: Once your security policies have been set, design your security model using the patterns and anti-patterns outlined in these guidelines.

  • Code Scanner Portal: Use the Code Scanner to catch common security issues in your code. 

  • Partner Security Portal: A centralized portal for Salesforce partners to track and manage their Lightning Platform Security Scan.

  • AppExchange Security Review: The AppExchange security review tests the security posture of your solution. Learn how the review process works.

  • Developer Discussion Forum: Questions? Get help when you need it from Salesforce and community experts.

  • Salesforce Security Center: The Security Center app offers a single view of your security, privacy, and governance posture across all of your Salesforce orgs and tenants. 

  • Salesforce Shield: While Salesforce is equipped with many out-of-the-box security controls, Shield complements your security features with enhanced encryption, app and data monitoring, and security policy automation.

Develop Securely Using Salesforce

Secure Coding Guidelines

Learn about the most common web app security issues when building on or integrating with Lightning Platform.

Develop Secure Web Apps

Check out our newest developer security Trail to help you enhance the security in your applications.

Developer Center

Use these resources to learn about building and securing applications with Salesforce.