| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure admin login as any user is not enabled |
Ensure that Administrators Can Log in as Any User field is not enabled. |
CRM
|
SecuritySettings should not have enableAdminLoginAsAnyUser eq true |
| Allow users to use a physical U2F-compatible key for multifactor authentication |
If enabled, users can use a physical U2F-compatible security key for multi-factor authentication (MFA) and identity verification. |
|
SessionSettings should have enableU2F eq true |
| Allow users to authenticate by certificate |
Users are allowed to authenticate with a PEM-encoded X.509 digital certificate. Certificate-base authentication complies with FedRAMP High Authenticator Assurance Level (AAL) 3 digital identity requirements and personal identification verification cards. Your org can also use certificate authority-signed (CA) certificates with certificate-based authentication. |
|
SessionSettings should have allowUserAuthenticationByCertificate eq true |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Ensure certificates are signed by the issuer |
The certificate should be signed by the issuer. |
|
Certificate should have caSigned eq true |
| Ensure connected apps are not granted full access to all data accessible by the logged-in user |
Ensure that no connected apps are assigned the 'Full access' (full) OAuth scope. This scope allows access to all data accessible by the logged-in user and encompasses all other scopes. |
CRM
|
ConnectedApp should not have any oauthConfig . scopes with [ scope eq "Full" ] |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Delete original territory management sharing records |
Removes group membership info for the original territory management feature after migrating to Enterprise Territory Management. Deleting original territory management sharing records eliminates unintended user access to records and resolves a known issue related to blank rows on Activities reports. |
|
SharingSettings should have enableRemoveTMGroupMembership eq false |
| Disable audit fields and updating of the record owner field for records owned by inactive users |
Do not allow users to update the record owner field and disable audit fields for records with inactive owners. |
|
SecuritySettings should have enableAuditFieldsInactiveOwner eq false |
| Disable caching and autocomplete on login page |
Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. |
CRM
|
SessionSettings should have enableCacheAndAutocomplete eq false |
| Disable community user visibility |
Disabling community user visibility helps to keep user information confidential between users in the same site. |
|
SharingSettings should have enableCommunityUserVisibility eq false |
| Disable user switching |
If 'Enable user switching' is enabled, users can log in to other orgs by selecting their profile picture and using the Switcher.
When 'Enable user switching' is disabled, the Switcher is also disabled and your org doesn't appear in Switchers on other orgs. |
|
SessionSettings should have hasUserSwitching eq false |
| Do not allow Cross-Origin Resource Sharing (CORS) for OAuth Endpoints |
Do not allow cross-origin Resource sharing (CORS) for these OAuth endpoints:
/services/oauth2/token
/services/oauth2/revoke
/services/oauth2/introspect |
|
SessionSettings should have enableOauthCorsPolicy eq false |
| Do not allow users to grant login access to Support |
Do not allow users to grant login access to Support. When this setting is disabled, only administators can grant login access. |
|
SecuritySettings should have canUsersGrantLoginAccess eq false |
| Do not allow super user access to partners in sites |
Granting super user access to external users of your organization's portal allows the user to access more data and records, regardless of sharing rules and organization-wide defaults. These users can access data owned by other partner users who have the same or lower role. Super user access applies to cases, leads, custom objects, and opportunities. |
|
SharingSettings should have enablePartnerSuperUserAccess eq false |
| Do not cache usernames (Disable 'Remember me until logout') |
If you enable Remember me until logout (true), usernames (login hints) are cached until the user logs out. If a session times out, usernames appear on the Switcher as inactive. If false (default), usernames aren't cached for SSO sessions. |
|
SessionSettings should have hasRetainedLoginHints eq false |
| Do not enable account role optimization |
Enabling account role optimization assigns person roles to new site users in accounts without existing users rather than regular site roles. |
|
SharingSettings should have enableAccountRoleOptimization eq false |
| Do not allow users to share records with their managers and manager subordinate groups |
Setting 'enableManagerGroups' to True allows records to be shared not only with a user's direct manager, but also to managers up the heirarchy as well as manager subordinates. Setting this value to 'False' can help to prevent sensitive information from being accessed by unintended personnel. |
|
SharingSettings should have enableManagerGroups eq false |
| Do not enable Portal User Visibility |
When Portal User Visibility is enabled, portal users are visible to all other portal users in the same account. |
|
SharingSettings should have enablePortalUserVisibility eq false |
| Do not enable standard report visibility |
Prevent users from viewing reports based on standard report types that may expose data of users whom they don't have access to. |
|
SharingSettings should have enableStandardReportVisibility eq false |
| Do not suspend group membership calculations |
When you make changes to roles, territories, groups, or users, or change ownership of portal accounts, group membership is automatically recalculated to add or remove access as necessary. Changes can include adding or removing a user from a group or changing a role to allow access to different sets of reports.
Administrators should suspend group membership calculations only when performing a large number of configuration changes or during an organization's maintenance period. |
|
SharingSettings should have deferGroupMembership eq false |
| Do not suspend sharing rule calculations |
Sharing rule calculations automatically add or remove necessary access when changes are made to entities such as groups, roles and terrritories. |
|
SharingSettings should have deferSharingRules eq false |
| Email Relays enforces use of TLS and requires verification |
Ensure Email relays in the organization are authorized. |
CRM
|
EmailRelay should have IsRequireAuth eq True and TlsSetting eq "RequiredVerify" |
| Ensure Email Relay is setup within the organization |
Ensures that an Email Relay is set up within the organization. |
CRM
|
Organization should have EmailRelays len() gt 0 |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Ensure Content Delivery Network for lightning component framework is enabled |
DDoS attacks can be prevented by enabling Content Delivery Network(CDN) for the lightning component framework. |
CRM
|
LightningExperienceSettings should have enableAuraCDNPref eq true |
| Ensure Content Security Policy protection for email templates is enabled |
Cross site scripting and other injection attacks can be prevented by enabling a Content Security Policy. |
CRM
|
SessionSettings should have enableCSPOnEmail eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Ensure Force re-login after Login-As-User is enabled |
Prompt the admin who is logged in as another user to login again after logging out as the user. |
CRM
|
SessionSettings should have forceRelogin eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Only users with the Lightning Login User permission can log in with Salesforce Authenticator |
Only users with the Lightning Login User permission can log in with Salesforce Authenticator instead of a password. |
|
SessionSettings should have enableLightningLoginOnlyWithUserPerm eq true |
| Enable secure and persistent browser caching |
Indicates whether the Salesforce mobile web uses secure and persistent browser caching (true) or not (false). |
|
MobileSettings should have enableS1EncryptedStoragePref2 eq true |
| Require read access to a record to see its name in lookup and system fields |
Users must have read access to a record to see its name in lookup and system fields |
|
SharingSettings should have enableRestrictAccessLookupRecords eq true |
| Enable SAML login for users |
With SAML login enabled, users can SSO into Salesforce from providers via SAML. SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. |
|
SingleSignOnSettings should have enableSamlLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Enforce IP ranges for every request |
Enforce the IP addresses in Login IP Ranges when a user accesses Salesforce (on every page request), including access from a client app. |
|
SessionSettings should have enforceIpRangesEveryRequest eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Assets should inherit parent object access rules |
Assets should not have sharing enabled by default. Access to an asset should be inherited by its parent objects' sharing rules. |
|
SharingSettings should have enableAssetSharing eq false |
| Lock user sessions to the login domain |
Indicates whether the current UI session for a user is associated with a specific domain. This check helps prevent unauthorized use of the session ID in another domain. |
|
SessionSettings should have lockSessionsToDomain eq true |
| Lock user sessions to the login IP address |
Lock user sessions to the IP address from which the user logged in. |
|
SessionSettings should have lockSessionsToIp eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Obscure secret answers for password resets |
Hide answers to password reset security questions as the user types. |
CRM
|
PasswordPolicies should have obscureSecretAnswer eq true |
| Password hint question should not contain the password |
Do not allow the answer to the password hint question to contain the password itself. |
CRM
|
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword" |
| Prevent identity verification by email if SMS or Salesforce Authenticator configured |
Prevent identity verification by email for users who have registered other verification methods, such as SMS or Salesforce Authenticator. If no other verification methods are configured, users are verified by email. |
|
SessionSettings should have canConfirmIdentityBySmsOnly eq true |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Warn users when they are redirected outside of Salesforce |
Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. |
CRM
|
SessionSettings should have redirectionWarning eq true |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require email confirmations for email address changes |
When users change their email address, they receive an email at the new address with a link. After they click the link, their new email address takes effect. |
CRM
|
SessionSettings should have canConfirmEmailChangeInLightningCommunities eq true |
| Require HttpOnly attribute to restrict session ID cookie access |
Restricts session ID cookie access. A cookie with the HttpOnly attribute is not accessible via non-HTTP methods, such as calls from JavaScript. |
|
SessionSettings should have requireHttpOnly eq true |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Use POST requests for cross-domain information exchange |
Indicates whether cross-domain session information is exchanged using a POST request instead of a GET request, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests. |
|
SessionSettings should have enablePostForSessions eq true |
| Ensure user provisioning for connected apps require approval |
Ensures that user provisioning requests for connected apps in Salesforce are configured to require approval for certain processes |
CRM
|
UserProvisioningConfig should have approvalRequired neq "None" |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Password hint question should not contain the password |
Do not allow the answer to the password hint question to contain the password itself. |
CRM
|
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword" |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Warn users when they are redirected outside of Salesforce |
Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. |
CRM
|
SessionSettings should have redirectionWarning eq true |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Disable caching and autocomplete on login page |
Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. |
CRM
|
SessionSettings should have enableCacheAndAutocomplete eq false |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Obscure secret answers for password resets |
Hide answers to password reset security questions as the user types. |
CRM
|
PasswordPolicies should have obscureSecretAnswer eq true |
| Password hint question should not contain the password |
Do not allow the answer to the password hint question to contain the password itself. |
CRM
|
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword" |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Warn users when they are redirected outside of Salesforce |
Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. |
CRM
|
SessionSettings should have redirectionWarning eq true |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Disable caching and autocomplete on login page |
Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. |
CRM
|
SessionSettings should have enableCacheAndAutocomplete eq false |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Obscure secret answers for password resets |
Hide answers to password reset security questions as the user types. |
CRM
|
PasswordPolicies should have obscureSecretAnswer eq true |
| Password hint question should not contain the password |
Do not allow the answer to the password hint question to contain the password itself. |
CRM
|
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword" |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Warn users when they are redirected outside of Salesforce |
Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. |
CRM
|
SessionSettings should have redirectionWarning eq true |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Disable caching and autocomplete on login page |
Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. |
CRM
|
SessionSettings should have enableCacheAndAutocomplete eq false |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Obscure secret answers for password resets |
Hide answers to password reset security questions as the user types. |
CRM
|
PasswordPolicies should have obscureSecretAnswer eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure admin login as any user is not enabled |
Ensure that Administrators Can Log in as Any User field is not enabled. |
CRM
|
SecuritySettings should not have enableAdminLoginAsAnyUser eq true |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Disable caching and autocomplete on login page |
Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. |
CRM
|
SessionSettings should have enableCacheAndAutocomplete eq false |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Obscure secret answers for password resets |
Hide answers to password reset security questions as the user types. |
CRM
|
PasswordPolicies should have obscureSecretAnswer eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Require a minimum 1 day password lifetime |
Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. |
CRM
|
PasswordPolicies should have minimumPasswordLifetime eq true |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
| Description |
Service |
Rule |
| Ensure certificate keys expire within 1 year |
Ensure that all certificate keys expire within 1 year. |
CRM
|
Certificate should have expirationDate isEarlierThan(365, "days") |
| Require a 4096-bit certificate key size |
The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. |
CRM
|
Certificate should have keySize gte 4096 |
| Configure CORS allowlist origins |
Ensure that there are origins configured in the CORS allowlist |
CRM
|
Organization should have CorsAllowlistOrigins len() gt 0 |
| Ensure Cross-Site Request Forgery (CSRF) protection is enabled |
Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. |
CRM
|
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true |
| Enable clickjack protection for customer Visualforce pages with headers turned off |
Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true |
| Enable clickjack protection for customer Visualforce pages with standard headers |
Clickjack protection for customer Visualforce pages with standard headers is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupUser eq true |
| Enable clickjack protection for non-setup Salesforce pages |
Clickjack protection for non-setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackNonsetupSFDC eq true |
| Enable clickjack protection for setup Salesforce pages |
Clickjack protection for setup Salesforce pages is enabled. |
CRM
|
SessionSettings should have enableClickjackSetup eq true |
| Enable Content Sniffing protection |
Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. |
CRM
|
SessionSettings should have enableContentSniffingProtection eq true |
| Allow Lightning Login |
Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. |
CRM
|
SessionSettings should have enableLightningLogin eq true |
| Set guest user organization-wide defaults to Private |
Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. |
CRM
|
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false |
| Enable SMS Identity |
Users can receive a one-time password in a text message (SMS) to verify their identity. |
CRM
|
SessionSettings should have enableSMSIdentity eq true |
| Ensure XSS protection is enabled |
Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. |
CRM
|
SessionSettings should have enableXssProtection eq true |
| Ensure that no certificates are expired |
Ensure that no certificates have expired. |
CRM
|
Certificate should have expirationDate isLaterThan(0, "days") |
| Ensure file upload and download security rules are configured |
There is at least one file upload and download security rule configured for the organization |
CRM
|
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0 |
| Display a warning and force re-login after a period of inactivity |
Force re-login upon session timeout and enable the session timeout warning popup. |
CRM
|
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true |
| Limit the number of failed login attempts to 5 or less |
After 5 failed login attempts, the user will be locked out. |
CRM
|
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts") |
| Ensure IP restriction is configured |
At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. |
CRM
|
Organization should have NetworkAccessIpRanges len() gt 0 |
| Enforce password complexity requirements |
Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. |
CRM
|
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8 |
| Set passwords to expire after 90 days |
Ensure that user passwords expire after 90 days and must be changed. |
CRM
|
PasswordPolicies should have expiration eq "NinetyDays" |
| Ensure that users cannot reuse any of their previous 5 passwords |
Save users' previous 5 passwords so that they must always reset a new, unique password. |
CRM
|
PasswordPolicies should have historyRestriction gte 5 |
| Set password lockout interval to 30 minutes |
Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. |
CRM
|
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes" |
| Protect referrer URL |
Configure the referer header to display only salesforce.com, rather than displaying the entire URL. |
CRM
|
SessionSettings should have referrerPolicy eq true |
| Logging is enabled for real time events |
Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. |
CRM
|
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max) |
| Remote site settings are configured |
Ensure that the organization has at least one active remote site setting. |
CRM
|
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ] |
| Require identify verification during two-factor authentication (2FA) registration |
Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true |
| Require identify verification for email address changes |
Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. |
CRM
|
SessionSettings should have identityConfirmationOnEmailChange eq true |
| Time out user sessions after 15 minutes |
Prompt users to log out or continue working after 15 minutes. |
CRM
|
SessionSettings should have sessionTimeout eq "FifteenMinutes" |
| Enable single sign-on |
Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. |
CRM
|
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true |
