salesforce_security_impl_guide
salesforce_security_impl_guide
salesforce_security_impl_guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configuring Salesforce Security Features<br />
Setting Session Security<br />
Field<br />
Require <strong>security</strong> tokens for API<br />
logins from callouts (API version<br />
31.0 and earlier)<br />
Login IP Ranges<br />
Enable clickjack protection for<br />
setup pages<br />
Enable clickjack protection for<br />
non-setup Salesforce pages<br />
Enable clickjack protection for<br />
non-setup customer Visualforce<br />
pages<br />
Enable CSRF protection on GET<br />
requests on non-setup pages<br />
Enable CSRF protection on POST<br />
requests on non-setup pages<br />
Description<br />
Requires the use of <strong>security</strong> tokens for API logins from callouts, such as Apex<br />
callouts or callouts using the AJAX proxy, in API version 31.0 and earlier. In API<br />
version 32.0 and later, <strong>security</strong> tokens are required by default.<br />
Specifies a range of IP addresses users must log in from (inclusive), or the login<br />
will fail. Users need to activate their computers to successfully log in from IP<br />
addresses outside this range.<br />
To specify a range, click New and enter a lower and upper IP address to define<br />
the range.<br />
This field is not available in Enterprise, Unlimited, Performance, and Developer<br />
Editions. In those editions, you can specify valid IP addresses per profile.<br />
Protects against clickjack attacks on setup Salesforce pages. Clickjacking is<br />
also known as a user interface redress attack. (Setup pages are available from<br />
the Setup menu.)<br />
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking<br />
is also known as a user interface redress attack. Setup pages already include<br />
protection against clickjack attacks. (Setup pages are available from the Setup<br />
menu.) This setting is selected by default for all organizations.<br />
Protects against clickjack attacks on your Visualforce pages. Clickjacking is also<br />
known as a user interface redress attack.<br />
Warning: If you use custom Visualforce pages within a frame or iframe,<br />
you may see a blank page or the page may display without the frame.<br />
For example, Visualforce pages in a page layout do not function when<br />
clickjack protection is on.<br />
Protects against Cross Site Request Forgery (CSRF) attacks by modifying<br />
non-setup pages to include a random string of characters in the URL<br />
parameters or as a hidden form field. With every GET and POST request, the<br />
application checks the validity of this string of characters and doesn’t execute<br />
the command unless the value found matches the value expected. This setting<br />
is selected by default for all organizations.<br />
3. Click Save.<br />
Session-level Security<br />
You can restrict access to certain types of resources based on the level of <strong>security</strong> associated with the authentication (login) method for<br />
the user’s current session. By default, each login method has one of two <strong>security</strong> levels: Standard or High Assurance. You can change<br />
the session <strong>security</strong> level and define policies so specified resources are only available to users with a High Assurance level.<br />
The different authentication methods are assigned these <strong>security</strong> levels, by default.<br />
• Username and Password — Standard<br />
• Delegated Authentication — Standard<br />
85