Review Session Security Settings

Learn about session security settings.

• Session Timeout Settings Control
  The Salesforce session timeout control is a security measure designed to protect against unauthorized access by automatically terminating user sessions after a specified period of inactivity.
• Session Settings Control
  Lock Sessions to Originating IP Address to prevent session hijacking by making sure that a user's session ID remains valid only when accessed from the specific IP address where it was first established.
• Secure Connections (HTTPS) Settings Control
  This multi-layered control framework strengthens session integrity by enforcing continuous IP validation for every request and shielding session tokens from unauthorized script access via the HTTPOnly attribute.
• Caching Settings Control
  This configuration optimizes platform performance and user convenience by using a global Content Delivery Network (CDN) and secure browser caching to accelerate the delivery of static Lightning resources.
• Content Security Policy Protection Control
  Prevent users from bypassing security checks when viewing templates in Salesforce Classic using Internet Explorer, and enforce a rigorous framework that blocks unauthorized scripts and resources from executing within the platform.
• Content Security Policy (CSP) Directive Rendering Control
  Enabling CSP (Content Security Policy) Directive Rendering allows your Salesforce org to adopt the latest, most restrictive security standards for how resources are loaded on Lightning pages.
• Cross-Site Request Forgery (CSRF) Protection Control
  Enable CSRF Protection in Salesforce session settings to secure your environment.
• Clickjack Protection Control
  Salesforce provides Clickjack Protection settings to protect your organization from UI redress attacks.
• Lightning Loader API Version Control
  Enabling the latest Lightning Locker API version is a security control that ensures all Lightning components in your organization are governed by the most recent security patches.
• Lightning Web Security Control
  Enabling Lightning Web Security (LWS) is a security control that replaces the legacy Lightning Locker architecture with a modern, virtualization-based sandbox for Lightning components.
• Referer URL Protection Control
  The Referrer URL Protection control in Salesforce enables the Referrer-Policy HTTP header to regulate the amount of internal URL information shared with external websites.
• Cross-Origin Security Headers Control
  Enabling Cross-Origin Opener Policy (COOP) and Cross-Origin Embedder Policy (COEP) in Salesforce session settings.
• Content Sniffing Protection Control
  To prevent browsers from incorrectly interpreting files as executable scripts, Salesforce admins should enable "Enable Content Sniffing Protection" within the Session Settings menu.
• Secure Logout Page Control
  This control ensures that when a Salesforce session expires in a browser tab, the user is automatically redirected to a predefined, secure URL.
• New User Welcome Email Settings Control
  The Salesforce "Link Expiration" setting for welcome emails is a security control that defines the timeframe for which a new user's activation link remains active.