Netskope

Salesforce Predefined Rules



🔍
Name Description Service Rule
Enable admin login as any user If true, the Administrators Can Log in as Any User field is enabled. CRM
SecuritySettings should have enableAdminLoginAsAnyUser eq true
Allow users to use a physical U2F-compatible key for multifactor authentication If enabled, users can use a physical U2F-compatible security key for multi-factor authentication (MFA) and identity verification. SessionSettings should have enableU2F eq true
Allow users to authenticate by certificate Users are allowed to authenticate with a PEM-encoded X.509 digital certificate. Certificate-base authentication complies with FedRAMP High Authenticator Assurance Level (AAL) 3 digital identity requirements and personal identification verification cards. Your org can also use certificate authority-signed (CA) certificates with certificate-based authentication. SessionSettings should have allowUserAuthenticationByCertificate eq true
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Ensure certificates are signed by the issuer The certificate should be signed by the issuer. Certificate should have caSigned eq true
Ensure connected apps are not granted full access to all data accessible by the logged-in user Ensure that no connected apps are assigned the 'Full access' (full) OAuth scope. This scope allows access to all data accessible by the logged-in user and encompasses all other scopes. CRM
ConnectedApp should not have any oauthConfig . scopes with [ scope eq "Full" ]
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Delete original territory management sharing records Removes group membership info for the original territory management feature after migrating to Enterprise Territory Management. Deleting original territory management sharing records eliminates unintended user access to records and resolves a known issue related to blank rows on Activities reports. SharingSettings should have enableRemoveTMGroupMembership eq false
Disable audit fields and updating of the record owner field for records owned by inactive users Do not allow users to update the record owner field and disable audit fields for records with inactive owners. SecuritySettings should have enableAuditFieldsInactiveOwner eq false
Disable caching and autocomplete on login page Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. CRM
SessionSettings should have enableCacheAndAutocomplete eq false
Disable community user visibility Disabling community user visibility helps to keep user information confidential between users in the same site. SharingSettings should have enableCommunityUserVisibility eq false
Disable user switching If 'Enable user switching' is enabled, users can log in to other orgs by selecting their profile picture and using the Switcher. When 'Enable user switching' is disabled, the Switcher is also disabled and your org doesn't appear in Switchers on other orgs. SessionSettings should have hasUserSwitching eq false
Do not allow Cross-Origin Resource Sharing (CORS) for OAuth Endpoints Do not allow cross-origin Resource sharing (CORS) for these OAuth endpoints: /services/oauth2/token /services/oauth2/revoke /services/oauth2/introspect SessionSettings should have enableOauthCorsPolicy eq false
Do not allow users to grant login access to Support Do not allow users to grant login access to Support. When this setting is disabled, only administators can grant login access. SecuritySettings should have canUsersGrantLoginAccess eq false
Do not allow super user access to partners in sites Granting super user access to external users of your organization's portal allows the user to access more data and records, regardless of sharing rules and organization-wide defaults. These users can access data owned by other partner users who have the same or lower role. Super user access applies to cases, leads, custom objects, and opportunities. SharingSettings should have enablePartnerSuperUserAccess eq false
Do not cache usernames (Disable 'Remember me until logout') If you enable Remember me until logout (true), usernames (login hints) are cached until the user logs out. If a session times out, usernames appear on the Switcher as inactive. If false (default), usernames aren't cached for SSO sessions. SessionSettings should have hasRetainedLoginHints eq false
Do not enable account role optimization Enabling account role optimization assigns person roles to new site users in accounts without existing users rather than regular site roles. SharingSettings should have enableAccountRoleOptimization eq false
Do not allow users to share records with their managers and manager subordinate groups Setting 'enableManagerGroups' to True allows records to be shared not only with a user's direct manager, but also to managers up the heirarchy as well as manager subordinates. Setting this value to 'False' can help to prevent sensitive information from being accessed by unintended personnel. SharingSettings should have enableManagerGroups eq false
Do not enable Portal User Visibility When Portal User Visibility is enabled, portal users are visible to all other portal users in the same account. SharingSettings should have enablePortalUserVisibility eq false
Do not enable standard report visibility Prevent users from viewing reports based on standard report types that may expose data of users whom they don't have access to. SharingSettings should have enableStandardReportVisibility eq false
Do not suspend group membership calculations When you make changes to roles, territories, groups, or users, or change ownership of portal accounts, group membership is automatically recalculated to add or remove access as necessary. Changes can include adding or removing a user from a group or changing a role to allow access to different sets of reports. Administrators should suspend group membership calculations only when performing a large number of configuration changes or during an organization's maintenance period. SharingSettings should have deferGroupMembership eq false
Do not suspend sharing rule calculations Sharing rule calculations automatically add or remove necessary access when changes are made to entities such as groups, roles and terrritories. SharingSettings should have deferSharingRules eq false
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Only users with the Lightning Login User permission can log in with Salesforce Authenticator Only users with the Lightning Login User permission can log in with Salesforce Authenticator instead of a password. SessionSettings should have enableLightningLoginOnlyWithUserPerm eq true
Require read access to a record to see its name in lookup and system fields Users must have read access to a record to see its name in lookup and system fields SharingSettings should have enableRestrictAccessLookupRecords eq true
Enable SAML login for users With SAML login enabled, users can SSO into Salesforce from providers via SAML. SAML implements a secure method of passing user authentications and authorizations between the identity provider and service providers. SingleSignOnSettings should have enableSamlLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Enforce IP ranges for every request Enforce the IP addresses in Login IP Ranges when a user accesses Salesforce (on every page request), including access from a client app. SessionSettings should have enforceIpRangesEveryRequest eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Assets should inherit parent object access rules Assets should not have sharing enabled by default. Access to an asset should be inherited by its parent objects' sharing rules. SharingSettings should have enableAssetSharing eq false
Lock user sessions to the login domain Indicates whether the current UI session for a user is associated with a specific domain. This check helps prevent unauthorized use of the session ID in another domain. SessionSettings should have lockSessionsToDomain eq true
Lock user sessions to the login IP address Lock user sessions to the IP address from which the user logged in. SessionSettings should have lockSessionsToIp eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Obscure secret answers for password resets Hide answers to password reset security questions as the user types. CRM
PasswordPolicies should have obscureSecretAnswer eq true
Password hint question should not contain the password Do not allow the answer to the password hint question to contain the password itself. CRM
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword"
Prevent identity verification by email if SMS or Salesforce Authenticator configured Prevent identity verification by email for users who have registered other verification methods, such as SMS or Salesforce Authenticator. If no other verification methods are configured, users are verified by email. SessionSettings should have canConfirmIdentityBySmsOnly eq true
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Warn users when they are redirected outside of Salesforce Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. CRM
SessionSettings should have redirectionWarning eq true
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require email confirmations for email address changes When users change their email address, they receive an email at the new address with a link. After they click the link, their new email address takes effect. CRM
SessionSettings should have canConfirmEmailChangeInLightningCommunities eq true
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Use POST requests for cross-domain information exchange Indicates whether cross-domain session information is exchanged using a POST request instead of a GET request, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests. SessionSettings should have enablePostForSessions eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Password hint question should not contain the password Do not allow the answer to the password hint question to contain the password itself. CRM
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword"
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Warn users when they are redirected outside of Salesforce Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. CRM
SessionSettings should have redirectionWarning eq true
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Disable caching and autocomplete on login page Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. CRM
SessionSettings should have enableCacheAndAutocomplete eq false
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Obscure secret answers for password resets Hide answers to password reset security questions as the user types. CRM
PasswordPolicies should have obscureSecretAnswer eq true
Password hint question should not contain the password Do not allow the answer to the password hint question to contain the password itself. CRM
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword"
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Warn users when they are redirected outside of Salesforce Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. CRM
SessionSettings should have redirectionWarning eq true
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Disable caching and autocomplete on login page Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. CRM
SessionSettings should have enableCacheAndAutocomplete eq false
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Obscure secret answers for password resets Hide answers to password reset security questions as the user types. CRM
PasswordPolicies should have obscureSecretAnswer eq true
Password hint question should not contain the password Do not allow the answer to the password hint question to contain the password itself. CRM
PasswordPolicies should have questionRestriction eq "DoesNotContainPassword"
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Warn users when they are redirected outside of Salesforce Users see an alert when they click a link in a web tab that redirects them outside the saleforce.com domain. CRM
SessionSettings should have redirectionWarning eq true
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Disable caching and autocomplete on login page Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. CRM
SessionSettings should have enableCacheAndAutocomplete eq false
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Obscure secret answers for password resets Hide answers to password reset security questions as the user types. CRM
PasswordPolicies should have obscureSecretAnswer eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Enable admin login as any user If true, the Administrators Can Log in as Any User field is enabled. CRM
SecuritySettings should have enableAdminLoginAsAnyUser eq true
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Disable caching and autocomplete on login page Do not allow the user’s browser to store usernames and auto-fill the User Name field on the login page. CRM
SessionSettings should have enableCacheAndAutocomplete eq false
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Obscure secret answers for password resets Hide answers to password reset security questions as the user types. CRM
PasswordPolicies should have obscureSecretAnswer eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Protect referrer URL Configure the referer header to display only salesforce.com, rather than displaying the entire URL. CRM
SessionSettings should have referrerPolicy eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true
Name Description Service Rule
Ensure certificate keys expire within 1 year Ensure that all certificate keys expire within 1 year. CRM
Certificate should have expirationDate isLaterThan(0, "days") and expirationDate isEarlierThan(365, "days")
Require a 4096-bit certificate key size The certificate key size determines how long the key can be used for. A certificate with 4096-bit keys lasts 2 years, and a certificate with 2048-bit keys lasts 1 year. CRM
Certificate should have keySize gte 4096
Configure CORS allowlist origins Ensure that there are origins configured in the CORS allowlist CRM
Organization should have CorsAllowlistOrigins len() gt 0
Ensure Cross-Site Request Forgery (CSRF) protection is enabled Cross-Site Request Forgery (CSRF) protection on GET and POST requests on non-setup pages should be enabled. CRM
SessionSettings should have enableCSRFOnGet eq true and enableCSRFOnPost eq true
Enable clickjack protection for customer Visualforce pages with headers turned off Clickjack protection for customer Visualforce pages with standard headers turned off is enabled. CRM
SessionSettings should have enableClickjackNonsetupUserHeaderless eq true
Enable clickjack protection for customer Visualforce pages with standard headers Clickjack protection for customer Visualforce pages with standard headers is enabled. CRM
SessionSettings should have enableClickjackNonsetupUser eq true
Enable clickjack protection for non-setup Salesforce pages Clickjack protection for non-setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackNonsetupSFDC eq true
Enable clickjack protection for setup Salesforce pages Clickjack protection for setup Salesforce pages is enabled. CRM
SessionSettings should have enableClickjackSetup eq true
Enable Content Sniffing protection Prevent the browser from inferring the MIME type from the document content and from executing malicious files (JavaScript, Stylesheet) as dynamic content. CRM
SessionSettings should have enableContentSniffingProtection eq true
Allow Lightning Login Users can use Lightning Login (Salesforce Authenticator) to log in instead of a password. CRM
SessionSettings should have enableLightningLogin eq true
Set guest user organization-wide defaults to Private Guest users have org-wide defaults set to Private. To share records with them, you must use guest user sharing rules. CRM
SharingSettings should have enableSecureGuestAccess eq true or enableSecureGuestAccess eq false
Enable SMS Identity Users can receive a one-time password in a text message (SMS) to verify their identity. CRM
SessionSettings should have enableSMSIdentity eq true
Ensure XSS protection is enabled Enable protection against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected and XSS protection is enabled, the browser shows a blank page with no content. CRM
SessionSettings should have enableXssProtection eq true
Ensure that no certificates are expired Ensure that no certificates have expired. CRM
Certificate should have expirationDate isLaterThan(0, "days")
Ensure file upload and download security rules are configured There is at least one file upload and download security rule configured for the organization CRM
FileUploadAndDownloadSecuritySettings should have dispositions len() gt 0
Display a warning and force re-login after a period of inactivity Force re-login upon session timeout and enable the session timeout warning popup. CRM
SessionSettings should have disableTimeoutWarning eq false and forceLogoutOnSessionTimeout eq true
Limit the number of failed login attempts to 5 or less After 5 failed login attempts, the user will be locked out. CRM
PasswordPolicies should have maxLoginAttempts in ("ThreeAttempts", "FiveAttempts")
Ensure IP restriction is configured At least one trusted IP address range is configured for the organization. Ensure IP restriction is turned on for user logins to minimize the risk of unauthorized access in case of compromised accounts. CRM
Organization should have NetworkAccessIpRanges len() gt 0
Enforce password complexity requirements Require secure passwords that combine uppercase letters, lowercase letters, numbers, and symbols, and require a minimum of 8 characters. Set a maximum incorrect login attempt to between 3 and 5 times. CRM
PasswordPolicies should have complexity eq "UpperLowerCaseNumericSpecialCharacters" and maxLoginAttempts in ("ThreeAttempts","FiveAttempts") and minimumPasswordLength eq 8
Set passwords to expire after 90 days Ensure that user passwords expire after 90 days and must be changed. CRM
PasswordPolicies should have expiration eq "NinetyDays"
Ensure that users cannot reuse any of their previous 5 passwords Save users' previous 5 passwords so that they must always reset a new, unique password. CRM
PasswordPolicies should have historyRestriction gte 5
Set password lockout interval to 30 minutes Lock the user account for a specified amount of time after exceeding the allowed number of failed login attempts. CRM
PasswordPolicies should have lockoutInterval eq "ThirtyMinutes"
Require a minimum 1 day password lifetime Requiring a minimum password lifetime ensures passwords can’t be changed more than one time during a 24-hour period. CRM
PasswordPolicies should have minimumPasswordLifetime eq true
Logging is enabled for real time events Streaming is enabled for real time events, and at least 1 client is subscribed to the event stream. CRM
RealTimeEventSettings should have every RealTimeEvents with [ isEnabled eq true ] and (StreamingApiConcurrentClients . Remaining lt StreamingApiConcurrentClients . Max)
Remote site settings are configured Ensure that the organization has at least one active remote site setting. CRM
Organization should have atleast one RemoteSiteSettings with [ isActive eq true and disableProtocolSecurity eq false ]
Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce. CRM
SessionSettings should have requireHttps eq true
Require secure connections (HTTPS) for Forcecom sites Visualforce, Salesforce sites, or Experience Cloud sites must use HTTPS. CRM
SessionSettings should have hstsOnForcecomSites eq true
Require secure connections (HTTPS) for third-party domains Indicates if HTTPS is required for connecting to third-party domains. CRM
SessionSettings should have enableUpgradeInsecureRequests eq true
Require identify verification during two-factor authentication (2FA) registration Indicates if users are required to confirm their identities when adding a verification method such as Salesforce Authenticator for multi-factor authentication (MFA), instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnTwoFactorRegistrationEnabled eq true
Require identify verification for email address changes Indicates if a user’s identity is confirmed when changing their email address, instead of requiring a re-login. CRM
SessionSettings should have identityConfirmationOnEmailChange eq true
Time out user sessions after 15 minutes Prompt users to log out or continue working after 15 minutes. CRM
SessionSettings should have sessionTimeout eq "FifteenMinutes"
Enable single sign-on Ensure that single sign-on is enabled. Users are redirected to third-party identity providers for authentication. CRM
SingleSignOnSettings should have isLoginWithSalesforceCredentialsDisabled eq true