Partner Third-Party Connections Recommended Security Settings

At Salesforce, Trust is our #1 value, and protecting customer data is our top priority. 

If we detect, or are notified of, potential security issues involving an application that you have developed or distributed, Salesforce may take precautionary steps - including suspending access to all affected applications and associated features and services - while we investigate the issue. 
Please note: "applications" in this context refers to all applications and integrations that connect to Salesforce.

Salesforce requires that partners follow all of the below recommendations for securing their third-party installed apps: 

Review All Applications Regularly: Regularly, conduct a thorough review of all applications for signs of malicious activity or vulnerabilities.

Implement Recommended Security Controls: Ensure your Connected Apps, API usage, and Partner Business Orgs, Packaging Orgs, Namespace Definition Orgs, and External Client Apps Definition Orgs follow the latest recommended security settings at a minimum.

For Connected Apps/External Client Apps settings:

1. Disable device flow

2. Rotate refresh tokens

3. Rotate any client certificates in JSON Web Token flow

4. IP allowlisting for all apps except native apps

5. Remove client credential flow

6. Remove username/password flow

7. Remove implicit grant flow

8. Remove web flow

For other API usage not included in Connected Apps/External Client Apps:

1. Disclose the use of and then rotate any API keys stored in protected custom settings/metadata

2. Do not send user session IDs back to the partner's own servers

For Partner Business Orgs, Packaging Orgs, Namespace Definition Orgs, and Connected Apps/External Client Apps Definition Orgs:

1. Do not grant any user the "Use Any API Client" permission

2. Require MFA for all users

3. Require IP allowlisting to access the org

4. Do not install any Connected Apps/External Client Apps in these orgs that don't meet criteria 1 and 2 above.

5. Do not host any sites that allow guest user access in these orgs

6. Do not install any third-party managed packages in these orgs

7. Rotate all user passwords

Publish Valid IP Ranges for Salesforce Customers: Immediately, publish the external IP Ranges for your applications so that your Salesforce customers can add to the Valid IP ranges on the profile used for the integration.

Maintain Security by Periodically Rotating Secrets: Immediately, ensure that your consumer secrets, Oauth app ClientIDs and Client Secrets tokens are being periodically changed and/or rotated. If an app becomes compromised, these must be changed immediately.

Monitor API Usage: Set up real-time alerts for highly unusual API request volumes, times of day, or geo-locations originating from their Connected Application.

Respond to Incidents Appropriately: If an app becomes compromised,immediately address the security incident by securing the Packaging, App Definition Orgs, Partner Business Org space, and name space, disabling insecure flows and protocols in the connected app, rotating all user passwords, rotating all secrets, and enforcing IP access controls.

Reporting: Any suspicious activity or security incidents that impact your applications and/or the consumer secrets for your applications must be reported immediately to our security team by emailing security@salesforce.com for further investigation.

Packaged App Security: Review the ISV Force Guide and make sure your applications are compliant.

Review Security requirements for ISV packages- Securing Connected Apps and ECAs for best practices to ensure the security and trust for Connected Apps (CAs) & External Client Apps (ECAs).