Security Best Practices

hero image

Security is built into our products from the ground up. Salesforce provides our customers with innovative tools and educational resources necessary to protect their data, but we believe that security is a shared responsibility. We strongly recommend all customers adopt the following best practices to better protect your Salesforce instance from compromise and align with industry standards.

Nail the Basics

Implement MFA or Single Sign-On

It's more important than ever to implement strong security measures that protect your business and customers. As threats that compromise user credentials grow more common, usernames and passwords are no longer sufficient safeguards against unauthorized account access. 

Multi-factor authentication (or MFA) adds an extra layer of protection against common threats like phishing attacks, credential stuffing, and account takeovers. Implementing MFA is one of the most effective ways your company can increase the security of your Salesforce data.

Run Security Health Check with Every Release

Health Check is a free tool that comes standard with Salesforce products. Built on our core platform, it allows admins to manage their org’s most important security settings in a single dashboard. Using Health Check, admins can seamlessly identify and fix potentially vulnerable security settings with one click. Customers can also create custom baseline standards to align closer with the individual security needs of their business.

Learn More Best Practices

  • Salesforce does not recommend pinning leaf or intermediate SSL/TLS certificates, because they may create availability issues when intermediate certificates are rotated during routine operations. However, there may be certain use cases involving middleware integrations that may require certificates to be pinned. If you are pinning leaf/intermediate certificates, please consider only pinning the root certificate. To receive timely notifications on upcoming certificate rotations and renewals, join the Certificate Changes Trailhead Community and subscribe to the group email updates.

  • Login IP Ranges limit unauthorized access by requiring users to login to Salesforce from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. 

    • If you are using Professional, Group, or Personal editions, you can configure Login IP Ranges under Security Controls > Session Settings. 
    • If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles.
  • As part of your overall security strategy, consider Salesforce Shield. While Salesforce is equipped with many out-of-the-box security controls, Shield complements your security features with enhanced encryption, app and data monitoring, and security policy automation. Shield can help admins and developers build a new level of trust and transparency in business-critical apps.

  • My Domain allows you to add a custom domain to your Salesforce org URL. Having a custom domain lets you highlight your brand and makes your org more secure. Additionally, this allows you to follow our best practices of not specifying instance names in code and integrations (e.g. na1.salesforce.com). Following this best practice will provide you and your end-users a more seamless experience during any future maintenance.

    Using My Domain, you define a custom domain that's part of your Salesforce domain. A custom domain is actually a subdomain of a primary domain. If we use an example of Universal Containers, their subdomain would be “universal-containers” in this My Domain example: https://universal-containers.my.salesforce.com.

    A custom domain name helps you better manage login and authentication for your org in several key ways. You can:

    • Block or redirect page requests that don’t use the new domain name
    • Set custom login policy to determine how users are authenticated
    • Work in multiple Salesforce orgs at the same time
    • Let users log in using a social account, like Google and Facebook, from the login page
    • Allow users to log in once to access external services
    • Highlight your business identity with your unique domain URL
    • Brand your login screen and customize right-frame content
  • Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours. To change the session timeout, click: Setup > Security Controls > Session Settings.

  • Transport Layer Security, or TLS, is the most widely deployed security protocol for web browsers and other applications that require data to be securely exchanged over a network. As of October 2019, Salesforce requires all secure org connections to use TLS 1.2 or higher to ensure the most secure environment and continued payment card industry compliance.

  • Salesforce highly recommends phishing education for all Salesforce users. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.

    Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails typically look as though they come from a legitimate organization and may contain links to what appears to be that organization's site (e.g., package delivery, payroll, IRS, social networking), but is actually a fake site or attachment designed to install malware and capture information. As these scams get more sophisticated, it can be tough knowing whether an email is real or fake. Below are some recommendations you should make to your Salesforce users when it comes to reviewing their email (and check out our Security Advisories page for examples of recent scams):

    • Review the subject line for unexpected messages and awkward language
    • Verify the person and organization (e.g., hover over the sender name and URLs, but do not click)
    • Don’t click suspicious attachments (e.g., strange name or format)
    • Do not give away credential information (e.g., username, password) unless you are sure the email is from a trusted sender
    • Double check the language (e.g., grammar, spelling)
    • Be wary of urgent and immediate messages -- especially messages asking for money

    If you or any of your users are unsure about whether a Salesforce email is legitimate, forward a copy of the suspicious email as an attachment to security@salesforce.com. Please include the words "phish" or "malware" in the subject line to indicate that the email is a suspected phishing email.

    For instructions on how to forward an email as an attachment using Gmail, check out send emails as attachments in Google Support.

  • Strong password security is an important step in protecting your Salesforce accounts and Salesforce recommends these best practices: 

    • Password expiration – Salesforce recommends no more than 90 days to force users to reset their passwords
    • Password length – Salesforce suggestions minimum password length of 8-10 characters
    • Password complexity – Admins should require users to include a mix of alpha, numeric, and special characters in their Salesforce password

    In addition, remind users to never reuse passwords on multiple accounts, or they risk compromise of more than one of their accounts. Last, users need to understand that they must never share passwords with anyone, either online or in person -- this includes their Salesforce password.

  • A permission set is a collection of settings and permissions that give users access to various tools and functions. Permission sets extend users’ functional access without changing their profiles.

    Create permission sets to grant access among logical groupings of users, regardless of their primary job function. For example, let’s say you have several users who must delete and transfer leads. You can create a permission set based on the tasks that these users must perform and include the permission set within permission set groups based on job functions. While users can only have one profile, they can have multiple permission sets. 

  • Audit logs provide a chronological record of all activities in your system, such as logins, permissions changes, and addition/deletion of records. They are used to detect anomalous use of the system, and are critical in diagnosing potential or actual security issues.

    We recommend that you set up audit trails for your Salesforce instance, and perform regular audits to monitor for unexpected changes or usage trends.

  • A Hardware Security Module is a hardened physical or virtual system used to provide and administrate cryptographic functions in enterprise environments. HSMs are used in conjunction with core security functions including encryption, decryption, and authentication.

    We recommend HSMs are used as a root of trust to protect keys used to secure data in multiple cloud and on-premise environments. They should be certified to the highest security standards (such as FIPS 140-2 and Common Criteria), kept isolated from the organization’s corporate networks and restrict access only to authorized personnel.

Report a Security Concern

As a leading software-as-a-service and platform-as-a-service provider, Salesforce is committed to setting the standard in safeguarding our environment and customers’ data. Partner with us by reporting any security concerns.