Run Health Check
After completing this unit, you’ll be able to:
- Explain how Health Check can keep your org secure.
- Use Health Check configurations to improve the security of apps running in your Salesforce org.
Salesforce Platform Security and Custom Apps
When you build custom apps to run on your Salesforce org, it's important to ensure that your Salesforce instance is secure in addition to securing the apps themselves. Since the majority of custom applications are business specific, it's likely that the apps you build will be specific to your Salesforce org.
Salesforce constantly strives to make our platform as secure as possible, and we view the security of the apps you develop as a shared responsibility. As part of this, we provide some of that security control to you so you have the flexibility to meet the business requirements of your organization.
Salesforce security features enable you to empower your users to do their jobs safely and efficiently. This module covers two important ways to ensure the security of your Salesforce org when developing and running custom apps. Let’s start with Health Check.
What Is Health Check?
Health Check is a dashboard that lets you see how closely the security settings in your org align to the settings recommended by Salesforce. A score of 0–100 is displayed, 100 being the most secure setting configuration. From this single-page dashboard, you can adjust the robustness of the security mechanisms built into your org and fix vulnerable settings in just one click. All your security settings are available from a single page, thus making it easy to get a quick glance of your org’s overall security. A summary score shows how well your org is aligned with the Salesforce-recommended standard.
Why Use Health Check?
Health Check can expose inactive security mechanisms that exist in your org’s security settings. You can use that information to improve the security of your org as you deploy custom apps. This feature is important because any time you build and deploy a custom app, you impact the security of your org as a whole. Most applications built on the Salesforce Platform are deployed to the owner's org. This means that how your custom code runs will depend on how you've configured the security settings in your org.
Securing Salesforce Applications
Enabling the correct security permissions is key to ensuring your apps operate safely when deployed to Salesforce. You can build Lightning components using two programming models: Lightning Web Components (LWC) and the original model, Aura Components. However, in general, Salesforce is moving away from using Aura components and using LWC instead.
Secure Your LWC Session Settings
In order to run a Salesforce-powered app, you usually have the following:
- A Salesforce org
- Browser-side code in LWC
- Server-side code in Apex
By enabling the correct security permissions, you can change how your apps operate when deployed to Salesforce. To access security permissions go to Setup | Security Settings, or Setup and use the search box to find the exact setting you’re looking for. Most security settings are simple on/off toggles. We recommend enabling the following security settings.
Require HttpOnly Attribute
HttpOnly is an additional flag included in the Set-Cookie HTTP response header. Using the HttpOnly flag when generating a cookie helps mitigate the risk of a client-side script accessing the protected cookie.
Enable User Certificates
Use this setting to allow certificate-based authentication to use PEM-encoded X.509 digital certificates to authenticate individual users to your org.
Enable Clickjack Protection
You can set the clickjack protection for a site to one of these levels.
- Allow framing by any page (no protection).
- Allow framing by the same origin only (recommended).
- Don’t allow framing by any page (most protection).
Salesforce Communities have two clickjack protection parts. We recommend that you set both to the same level.
- Force.com Communities site (set from the Force.com site detail page)
- Site.com Communities site (set from the Site.com configuration page)
This setting must be enabled in two locations.
- Enable HSTS for Sites and Communities in Session Settings.
- Enable Require Secure Connections (HTTPS) in the community or Salesforce site security settings.
It’s a good idea to set a short timeout period if your org has sensitive information and you want to enforce strong security.
You can set values, including:
- Timeout value
- Force logout on session timeout
- Disable timeout warning popup
Enable Cross-Site Scripting (XSS) Protection
Enable the XSS protection setting to protect against reflected cross-site scripting attacks. If a reflected cross-site scripting attack is detected, the browser shows a blank page with no content. If there is no content, scripts cannot be used to inject attacks.
Use the Latest Version of Locker
Lightning Locker provides component isolation and security that allows code from many sources to execute and interact using safe, standard APIs and event mechanisms. Lightning Locker is enabled for all custom LWC, and automatically updates. If you’re using Aura, check your version for compatibility.
Now you’ve seen how to secure your org with LWC's built-in features. In the next unit, we dig into how Shield helps you protect your apps.
- Trailhead: Security Basics
- Knowledge Article: Salesforce CRM Services Platform Security FAQs
- External Link: Open Web Application Security Project (OWASP) - HttpOnly
- Knowledge Article: Base Components: Aura Vs Lightning Web Components
- Salesforce Help: Create and Edit Salesforce Sites
- Salesforce Help: Enable Clickjack Protection in Site.com
- Salesforce Help: Modify Session Security Settings