salesforce_security_impl_guide

More documents

Recommendations

Info

Configuring Salesforce Security Features Setting Session Security Field Lock sessions to the IP address from which they originated Description Determines whether user sessions are locked to the IP address from which the user logged in; helping to prevent unauthorized persons from hijacking a valid session. Note: This may inhibit various applications and mobile devices. Require secure connections (HTTPS) Determines whether HTTPS is required to log in to or access Salesforce, apart from Force.com sites, which can still be accessed using HTTP. This option is enabled by default for security reasons. Note: The Resetting Passwords for Your Users page can only be accessed using HTTPS. Force relogin after Login-As-User Require HttpOnly attribute Determines whether an administrator who is logged in as another user is returned to their previous session after logging out as the secondary user. If the option is enabled, an administrator must log in again to continue using Salesforce after logging out as the user; otherwise, the administrator is returned to the original session after logging out as the user. This option is enabled by default for new organizations beginning with the Summer ‘14 release. Restricts session ID cookie access. A cookie with the HttpOnly attribute is not accessible via non-HTTP methods, such as calls from JavaScript. Note: If you have a custom or packaged application that uses JavaScript to access session ID cookies, selecting Require HttpOnly attribute breaks your application because it denies the application access to the cookie. The Developer Console and AJAX Toolkit debugging window are also not available if the Require HttpOnly attribute is selected. Use POST requests for cross-domain sessions Sets the organization to send session information using a POST request, instead of a GET request, for cross-domain exchanges, such as when a user is using a Visualforce page. In this context, POST requests are more secure than GET requests, because POST requests keep the session information in the body of the request. However, if you enable this setting, embedded content from another domain, such as: might not display. Enable caching and password autocomplete on login page Enable SMS-based identity confirmation Allows the user’s browser to store usernames. If enabled, after an initial log in, usernames are auto-filled into the User Name field on the login page. This preference is selected by default and caching and autocomplete are enabled. Enables users to receive a one-time PIN delivered via SMS. Once enabled, administrators or users must verify their mobile phone number before taking advantage of this feature. This setting is selected by default for all organizations. 84
Configuring Salesforce Security Features Setting Session Security Field Require security tokens for API logins from callouts (API version 31.0 and earlier) Login IP Ranges Enable clickjack protection for setup pages Enable clickjack protection for non-setup Salesforce pages Enable clickjack protection for non-setup customer Visualforce pages Enable CSRF protection on GET requests on non-setup pages Enable CSRF protection on POST requests on non-setup pages Description Requires the use of security tokens for API logins from callouts, such as Apex callouts or callouts using the AJAX proxy, in API version 31.0 and earlier. In API version 32.0 and later, security tokens are required by default. Specifies a range of IP addresses users must log in from (inclusive), or the login will fail. Users need to activate their computers to successfully log in from IP addresses outside this range. To specify a range, click New and enter a lower and upper IP address to define the range. This field is not available in Enterprise, Unlimited, Performance, and Developer Editions. In those editions, you can specify valid IP addresses per profile. Protects against clickjack attacks on setup Salesforce pages. Clickjacking is also known as a user interface redress attack. (Setup pages are available from the Setup menu.) Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking is also known as a user interface redress attack. Setup pages already include protection against clickjack attacks. (Setup pages are available from the Setup menu.) This setting is selected by default for all organizations. Protects against clickjack attacks on your Visualforce pages. Clickjacking is also known as a user interface redress attack. Warning: If you use custom Visualforce pages within a frame or iframe, you may see a blank page or the page may display without the frame. For example, Visualforce pages in a page layout do not function when clickjack protection is on. Protects against Cross Site Request Forgery (CSRF) attacks by modifying non-setup pages to include a random string of characters in the URL parameters or as a hidden form field. With every GET and POST request, the application checks the validity of this string of characters and doesn’t execute the command unless the value found matches the value expected. This setting is selected by default for all organizations. 3. Click Save. Session-level Security You can restrict access to certain types of resources based on the level of security associated with the authentication (login) method for the user’s current session. By default, each login method has one of two security levels: Standard or High Assurance. You can change the session security level and define policies so specified resources are only available to users with a High Assurance level. The different authentication methods are assigned these security levels, by default. • Username and Password — Standard • Delegated Authentication — Standard 85
Page 1 and 2:
Security Implementation Guide Versi
Page 3 and 4:
CONTENTS Chapter 1: Security Overvi
Page 5 and 6:
Contents Editing Lead Sharing Rules
Page 7 and 8:
CHAPTER 1 Security Overview Salesfo
Page 9 and 10:
Security Overview User Security Ove
Page 11 and 12:
Security Overview Custom Permission
Page 13 and 14:
Security Overview CAPTCHA Security
Page 15 and 16:
Security Overview Auditing • Role
Page 17 and 18:
Securing and Sharing Data Revoking
Page 19 and 20:
Securing and Sharing Data Viewing P
Page 21 and 22:
Securing and Sharing Data Cloning P
Page 23 and 24:
Securing and Sharing Data App and S
Page 25 and 26:
Securing and Sharing Data Working w
Page 27 and 28:
Securing and Sharing Data Enable Cu
Page 29 and 30:
Securing and Sharing Data Assigning
Page 31 and 32:
Securing and Sharing Data Creating
Page 33 and 34:
Securing and Sharing Data Editing P
Page 35 and 36:
Securing and Sharing Data Searching
Page 37 and 38:
Securing and Sharing Data Enable Cu
Page 39 and 40: Securing and Sharing Data Object Pe
Page 41 and 42: Securing and Sharing Data Comparing
Page 43 and 44: Securing and Sharing Data Setting F
Page 45 and 46: Securing and Sharing Data Working w
Page 47 and 48: Securing and Sharing Data Setting L
Page 49 and 50: Securing and Sharing Data Restricti
Page 51 and 52: Securing and Sharing Data Managing
Page 53 and 54: Securing and Sharing Data External
Page 55 and 56: Securing and Sharing Data Disabling
Page 57 and 58: Securing and Sharing Data Creating
Page 67 and 68: Securing and Sharing Data Editing L
Page 69 and 70: Securing and Sharing Data Editing C
Page 71 and 72: Securing and Sharing Data Editing C
Page 73 and 74: Securing and Sharing Data Sharing R
Page 75 and 76: Securing and Sharing Data User Shar
Page 77 and 78: Securing and Sharing Data Sharing U
Page 81 and 82: Securing and Sharing Data Viewing A
Page 83 and 84: Securing and Sharing Data Granting
Page 85 and 86: Configuring Salesforce Security Fea
Page 89: Configuring Salesforce Security Fea
Page 95 and 96: CHAPTER 4 Enabling Single Sign-On S
Page 97 and 98: Enabling Single Sign-On • Before
Page 99 and 100: Monitoring Your Organization's Secu
Page 107 and 108: Security Tips for Apex and Visualfo
Page 113 and 114: INDEX A Access about 10 revoking 11
Page 115 and 116: Index Profiles (continued) object p
show all

salesforce_security_impl_guide

Create successful ePaper yourself

Delete template?

Save as template?