| Timeout value |
Length of time after which the system logs out inactive users. For Portal
users, the timeout is between 10 minutes and 24 hours even though you can only set
it as low as 15 minutes. Select a value between 15 minutes and 24 hours. Choose a
shorter timeout period if your org has sensitive information and you want to
enforce stricter security.The last active session time value isn’t
updated until halfway through the timeout period. So if you have a 30-minute
timeout, the system doesn’t check for activity until 15 minutes have
passed. For example, if you update a record after 10 minutes, the last active
session time value isn’t updated because there was no activity after 15 minutes.
You’re logged out in 20 more minutes (30 minutes total), because the last
active session time wasn’t updated. Suppose that you update a record
after 20 minutes. That’s 5 minutes after the last active session time is
checked. Your timeout resets, and you have another 30 minutes before being
logged out, for a total of 50 minutes.
|
| Disable session timeout warning popup |
Determines whether the system prompts inactive users with a timeout warning
message. Users are prompted 30 seconds before timeout as specified by the
Timeout value. |
| Force logout on session timeout |
Requires that when sessions time out for inactive
users, current sessions become invalid. The browser refreshes and returns to the
login page. To access the org, the user must log in again.Do
not select Disable session timeout warning popup
when using this setting.
|
| Lock sessions to the IP address
from which they originated |
Determines whether user sessions are locked to the IP address from which the
user logged in, helping to prevent unauthorized persons from hijacking a valid
session.This setting can inhibit various applications and mobile
devices.
|
| Lock sessions to the domain in which
they were first used |
Associates a current UI session for a
user, such as a community user,
with a specific domain. The setting helps prevent unauthorized use of the
session ID in another domain. This setting is enabled by default for orgs
created with the Spring ’15 release or later. |
| Require secure connections
(HTTPS) |
Determines whether HTTPS is required to log in to or access Salesforce, apart
from Force.com sites, which can be
accessed using HTTP. This setting is enabled by default for security reasons. This setting does
not apply to API requests. All API requests require HTTPS.
The Reset Passwords for Your Users page can only be accessed using HTTPS.
|
| Require secure connections (HTTPS) for all third-party
domains |
Determines whether HTTPS is required for connecting to third-party
domains. This setting is enabled by default on accounts created after the
Summer ’17 release.
|
| Force relogin after Login-As-User |
Determines whether an administrator who is logged in as another user is
returned to their previous session after logging out as the secondary user. If the setting is enabled, an administrator must
log in again to continue using Salesforce after logging out as the user.
Otherwise, the administrator is returned to the original session after logging
out as the user.
This
setting is enabled by default for new orgs beginning with the Summer ’14
release.
|
| Require HttpOnly attribute |
Restricts session ID cookie access. A cookie with the HttpOnly attribute is
not accessible via non-HTTP methods, such as calls from JavaScript.If you have a custom or packaged application that uses
JavaScript to access session ID cookies, selecting Require HttpOnly
attribute breaks your application. It denies the application
access to the cookie. If Require HttpOnly attribute is
selected, the AJAX Toolkit debugging
window isn’t available.
|
| Use POST requests for cross-domain sessions |
Sets the org to send session information using a POST request, instead of a
GET request, for cross-domain exchanges. An example of a cross-domain exchange is
when a user is using a Visualforce page. In this context, POST requests are more
secure than GET requests because POST requests keep the session information in the
body of the request. However, if you enable this setting, embedded content from
another domain, such
as:1<img
2 src="https://acme.force.com/pic.jpg"/>
sometimes doesn’t display. |
| Enforce login IP ranges on every request |
Restricts the IP addresses from which users can access Salesforce to only the
IP addresses defined in Login IP Ranges. If this setting is
enabled, login IP ranges are enforced on each page request, including requests
from client applications. If this setting isn’t enabled, login IP ranges are
enforced only when a user logs in. This setting affects all user profiles that
have login IP restrictions. |
| Enable caching and autocomplete on login page |
Allows the user’s browser to store usernames. If enabled, after
initial login, usernames are auto-filled into the Username
field on the login page. If the user selected Remember me
on the login page, the username persists after the session expires or the user
logs out. The username also appears on the Switcher. This setting is selected by
default for all orgs. If you disable this setting, the Remember
me option doesn’t appear on your org’s login page or from the
Switcher.
|
| Enable secure and persistent browser caching to improve
performance |
Enables secure data caching in the browser to improve page reload performance
by avoiding extra round trips to the server. This setting is selected by default
for all orgs. We don’t recommend disabling this
setting, but if your company’s policy doesn’t allow browser caching even if the
data is encrypted, you can disable it.
|
| Enable user switching |
Determines whether the Switcher appears when your org’s users select their
profile picture. This setting is selected by default for all organizations. The
Enable caching and autocomplete on login page setting must
also be enabled. Deselect the Enable user switching setting
to prevent your org from appearing in Switchers on other orgs. It also prevents
your org users from seeing the Switcher when they select their profile
picture. |
| Remember until logout |
Normally, usernames are cached only while a session is active or if a user
selects Remember Me. For SSO sessions, the remember
option isn't available. So, once the session expires, the username disappears
from the login page and the Switcher. By enabling Remember me until
logout, the cached usernames are deleted only if the user
explicitly logs out. If the session times out, they appear on the Switcher as
inactive. This way, if the users are on their own computer and allow a session
to timeout, they can select the username to reauthenticate. If they're on a
shared computer, the username is deleted immediately when the user logs out.
This setting applies to all your org’s users. This option isn't enabled by
default. However, we encourage you to enable it as a convenience to your users.
Keep this setting disabled if your org doesn't expose all your SSO or
authentication providers on your login page.
|
| Enable the SMS method of identity confirmation |
Allows users to receive a one-time PIN delivered via SMS. If this setting is
selected, administrators or users must verify their mobile phone number before
taking advantage of this feature. This setting is selected by default for all
orgs. |
| Require security tokens for API logins from callouts (API version
31.0 and earlier) |
In API version 31.0 and earlier, requires the use of security tokens for API
logins from callouts. Examples are Apex callouts or callouts using the AJAX proxy.
In API version 32.0 and later, security tokens are required by default. |
|
Login IP Ranges (for Contact Manager, Group, and
Professional Editions) |
Specifies a range of IP addresses users must log in from (inclusive), or the
login fails. To specify a range, click New and enter a
Start IP Address and End IP Address to define the range, which includes the
start and end values.
This field is not available in Enterprise,
Unlimited, Performance, and
Developer Editions. In those editions, you can specify a valid Login IP Range in
the user profile settings.
|
| Let users use a security key (U2F) |
Allows users to use a U2F security key for two-factor authentication and
identity verification. Instead of using Salesforce Authenticator, a one-time
password generated by an authenticator app, or one-time passwords sent by email or
SMS, users insert their registered U2F security key into a USB port to complete
verification. |
| Require identity verification during two-factor authentication
registration |
Requires users to confirm their identities to add a two-factor authentication
method, such as Salesforce Authenticator, instead of requiring a relogin as
before. |
| Require identity verification for change of email
address |
Requires users to confirm their identities to change email addresses instead of
requiring a relogin as before.
To get the emails to confirm identity, make sure that users have access to
their previously registered email accounts.
|
Allow location-based automated verifications with Salesforce
Authenticator
- Allow only from trusted IP addresses
|
Allows users to verify identity by automatically approving notifications in
Salesforce Authenticator, whenever users are in trusted locations such as a home
or office. If you allow automated verifications, you can allow them from any
location or restrict them to only trusted IP addresses, such as your corporate
network. |
| Allow Lightning Login |
Allows users to use Lightning Login for password-free Salesforce logins,
relying on Salesforce Authenticator for identity verification. |
| Enable clickjack protection for Setup pages |
Protects against clickjack attacks on setup Salesforce pages. Clickjacking is also known as a user
interface redress attack. (Setup pages are available from the Setup
menu.) |
| Enable clickjack protection for non-Setup Salesforce
pages |
Protects against clickjack attacks on non-setup Salesforce pages. Clickjacking is also known as a user
interface redress attack. Setup pages
already include protection against clickjack attacks. (Setup pages are available
from the Setup menu.) This setting is selected by default for all orgs. |
| Enable clickjack protection for customer Visualforce pages with
standard headers |
Protects against clickjack attacks on your Visualforce pages with headers
enabled. Clickjacking is also known as a user
interface redress attack.
If you
use custom Visualforce pages within a frame or iframe, you sometimes see a blank
page or the page displays without the frame. For example, Visualforce pages in a
page layout don’t function when clickjack protection is on.
|
| Enable clickjack protection for customer Visualforce pages with
headers disabled |
Protects against clickjack attacks on your Visualforce pages with headers
disabled when setting showHeader="false"
on the page. Clickjacking is also known as a user
interface redress attack.
If you
use custom Visualforce pages within a frame or iframe, you sometimes see a blank
page or the page displays without the frame. For example, Visualforce pages in a
page layout don’t function when clickjack protection is on.
|
| Enable CSRF protection on GET
requests on non-setup pages |
Protects against Cross Site Request Forgery
(CSRF) attacks by modifying non-Setup pages. Non-Setup pages include a random
string of characters in the URL parameters or as a hidden form field. With every
GET and POST request, the application checks the validity of this string of
characters. The application doesn’t execute the command unless the value
found matches the expected value. This setting is selected by default for all
orgs. |
| Enable CSRF protection on POST
requests on non-setup pages |
| Enable XSS protection |
Protects against cross-site scripting attacks. If a reflected cross-site
scripting attack is detected, the browser shows a blank page with no
content. |
| Enable Content Sniffing protection |
Prevents the browser from inferring the MIME type from the document content.
It also prevents the browser from executing malicious files (JavaScript,
Stylesheet) as dynamic content. |
| Logout URL |
Redirects users to a specific page after they log out of Salesforce, such as
an authentication provider’s page or a custom-branded page. This URL is used only
if no logout URL is specified in the identity provider, SAML single sign-on, or
external authentication provider settings. If no value is specified for
Logout URL, the default is
https://login.salesforce.com, unless MyDomain is enabled.
If My Domain is enabled, the default is
https://customdomain.my.salesforce.com. |