Security is built into our products from the ground up. Salesforce provides our customers with innovative tools and educational resources necessary to protect their data, but we believe that security is a shared responsibility. We strongly recommend all customers adopt the following best practices to better protect your Salesforce instance from compromise and align with industry standards.

Nail the Basics

Implement MFA or

Single Sign-On

It's more important than ever to implement strong security measures that protect your business and customers. As threats that compromise user credentials grow more common, usernames and passwords are no longer sufficient safeguards against unauthorized account access. 

Multi-factor authentication (or MFA) adds an extra layer of protection against common threats like phishing attacks, credential stuffing, and account takeovers. Implementing MFA is one of the most effective ways your company can increase the security of your Salesforce data.

View MFA Resources >

Run Security Health Check with Every Release

Health Check is a free tool that comes standard with Salesforce products. Built on our core platform, it allows admins to manage their org’s most important security settings in a single dashboard. Using Health Check, admins can seamlessly identify and fix potentially vulnerable security settings with one click. Customers can also create custom baseline standards to align closer with the individual security needs of their business.

Learn More About Health Check >

Learn More Best Practices

  • Set Login IP Ranges

    Login IP Ranges limit unauthorized access by requiring users to login to Salesforce from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. 

    • If you are using Professional, Group, or Personal editions, you can configure Login IP Ranges under Security Controls > Session Settings. 
    • If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles.
  • Consider Salesforce Shield

    As part of your overall security strategy, consider Salesforce Shield. While Salesforce is equipped with many out-of-the-box security controls, Shield complements your security features with enhanced encryption, app and data monitoring, and security policy automation. Shield can help admins and developers build a new level of trust and transparency in business-critical apps.

  • My Domain

    My Domain allows you to add a custom domain to your Salesforce org URL. Having a custom domain lets you highlight your brand and makes your org more secure. Additionally, this allows you to follow our best practices of not specifying instance names in code and integrations (e.g. na1.salesforce.com). Following this best practice will provide you and your end-users a more seamless experience during any future maintenance.

    Using My Domain, you define a custom domain that's part of your Salesforce domain. A custom domain is actually a subdomain of a primary domain. If we use an example of Universal Containers, their subdomain would be “universal-containers” in this My Domain example: https://universal-containers.my.salesforce.com.

    A custom domain name helps you better manage login and authentication for your org in several key ways. You can:

    • Block or redirect page requests that don’t use the new domain name
    • Set custom login policy to determine how users are authenticated
    • Work in multiple Salesforce orgs at the same time
    • Let users log in using a social account, like Google and Facebook, from the login page
    • Allow users to log in once to access external services
    • Highlight your business identity with your unique domain URL
    • Brand your login screen and customize right-frame content
  • Decrease Session Timeout Thresholds

    Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours. To change the session timeout, click: Setup > Security Controls > Session Settings.

  • Enable TLS 1.2 or higher

    Transport Layer Security, or TLS, is the most widely deployed security protocol for web browsers and other applications that require data to be securely exchanged over a network. As of October 2019, Salesforce requires all secure org connections to use TLS 1.2 or higher to ensure the most secure environment and continued payment card industry compliance.

  • Educate Users About Phishing

    Salesforce highly recommends phishing education for all Salesforce users. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.

    Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails typically look as though they come from a legitimate organization and may contain links to what appears to be that organization's site (e.g., package delivery, payroll, IRS, social networking), but is actually a fake site or attachment designed to install malware and capture information. As these scams get more sophisticated, it can be tough knowing whether an email is real or fake. Below are some recommendations you should make to your Salesforce users when it comes to reviewing their email (and check out our Security Advisories page for examples of recent scams):

    • Review the subject line for unexpected messages and awkward language
    • Verify the person and organization (e.g., hover over the sender name and URLs, but do not click)
    • Don’t click suspicious attachments (e.g., strange name or format)
    • Do not give away credential information (e.g., username, password) unless you are sure the email is from a trusted sender
    • Double check the language (e.g., grammar, spelling)
    • Be wary of urgent and immediate messages -- especially messages asking for money

    If you or any of your users are unsure about whether a Salesforce email is legitimate, forward a copy of the suspicious email as an attachment to security@salesforce.com. Please include the words "phish" or "malware" in the subject line to indicate that the email is a suspected phishing email.

    For instructions on how to forward an email as an attachment using Gmail, check out send emails as attachments in Google Support.

  • Password Policies

    Strong password security is an important step in protecting your Salesforce accounts and Salesforce recommends these best practices: 

    • Password expiration – Salesforce recommends no more than 90 days to force users to reset their passwords
    • Password length – Salesforce suggestions minimum password length of 8-10 characters
    • Password complexity – Admins should require users to include a mix of alpha, numeric, and special characters in their Salesforce password

    In addition, remind users to never reuse passwords on multiple accounts, or they risk compromise of more than one of their accounts. Last, users need to understand that they must never share passwords with anyone, either online or in person -- this includes their Salesforce password.

Report a Security Concern

As a leading software-as-a-service and platform-as-a-service provider, Salesforce is committed to setting the standard in safeguarding our environment and customers’ data. Partner with us by reporting any security concerns.

Report a Concern