How Is the Health Check Score Calculated?
The Health Check score is calculated by a proprietary formula that measures how well your security settings meet the Salesforce Baseline Standard or your selected custom baseline. Settings that meet or exceed compliance raise your score, and settings at risk lower your score.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
There are four risk categories: High-Risk, Medium-Risk, Low-Risk, and Informational. The risk categories affect your Health Check score, with High-Risk settings counting the most, Low-Risk settings counting the least, and Medium-Risk settings in the middle. Settings in the Informational category don’t factor in to your Health Check score.
If all settings meet or exceed the standard, your total score is 100%. As you update your settings, the green bar moves to the right.
Your grade is based on your score.
- 90% and above = Excellent
- 80%–89% = Very Good
- 70%–79% = Good
- 55%–69% = Poor
- 54% and below = Very Poor
Note Here are important considerations about your Health Check score.
- You can see your score on the Health Check page, but not through the API.
- Your score can change if Salesforce adds or removes options that are used in the score calculation.
Recommended Actions Based on Your Score
| If your total score is... | We recommend that you... |
|---|---|
| 0%–33% | Remediate high risks immediately. |
| 34%–66% | Remediate high risks in the short term and medium risks in the long term. |
| 67%–100% | Review Health Check periodically to remediate risks. |
Note New Salesforce orgs have an initial score less than 100%. Use Health Check to
quickly improve your score by eliminating high risks in your Password Policies and
other setting groups.
These tables list the Salesforce baseline standard settings, risk levels, and values from the default Salesforce Baseline Standard. If you’re using a custom baseline, your information differs.
High-Risk Security Settings
| Setting | Compliant Value | Warning Value | Critical Value |
|---|---|---|---|
| Lock sessions to the domain in which they were first used | Checkbox selected | N/A | Checkbox deselected |
| Enable the SMS method of device activation | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for Setup pages | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for non-Setup for Salesforce pages | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for customer VisualForce pages with standard headers | Checkbox selected | N/A | Checkbox deselected |
| Enable clickjack protection for customer VisualForce pages with headers disabled | Checkbox selected | N/A | Checkbox deselected |
| Enable CSRF protection on GET requests on non-setup pages | Checkbox selected | N/A | Checkbox deselected |
| Enable CSRF protection on POST requests on non-setup pages | Checkbox selected | N/A | Checkbox deselected |
| Require HttpOnly attribute | Checkbox selected | Checkbox deselected | N/A |
| Number of security risk file types with hybrid behavior | No security risk file types have hybrid behavior enabled | One or more security risk file types has hybrid behavior enabled | N/A |
| Maximum invalid login attempts | 3 | 5, 10 | No Limit |
| Number of expired certificates | No certificates have expired | One or more certificates have expired | N/A |
| Number of Objects with Default External Access Set to Public | No objects with default external access set to public exist | At least one object with default external access set to public exists | N/A |
Medium-Risk Security Settings
| Setting | Compliant Value | Warning Value | Critical Value |
|---|---|---|---|
| Require a minimum 1-day password lifetime | Checkbox selected | Checkbox deselected | N/A |
| Force relogin after Login-As-User | Checkbox selected | N/A | Checkbox deselected |
| Enforce login IP ranges on every request | Checkbox selected | Checkbox deselected | N/A |
| Enable Content Security Policy protection for email templates | Checkbox selected | N/A | Checkbox deselected |
| Enable Content Sniffing protection | Checkbox selected | N/A | Checkbox deselected |
| Administrators Can Log In As Any User | Checkbox deselected | Checkbox selected | N/A |
| Enforce password history | 3 or more passwords remembered | 1 or 2 passwords remembered | No passwords remembered |
| Minimum password length | 8 | 6 or 7 | 5 or less |
| User passwords expire in | 90 days or less | 180 days | One year or Never expires |
| Password complexity requirement | Must mix alpha, numeric, and special characters, or more complex | Must mix alpha and numeric characters | No restriction |
Low-Risk Security Settings
| Setting | Compliant Value | Warning Value | Critical Value |
|---|---|---|---|
| Obscure secret answer for password resets | Checkbox selected | Checkbox deselected | N/A |
| Force log out on session timeout | Checkbox selected | Checkbox deselected | N/A |
| Require identity verification during multi-factor authentication (MFA) registration | Checkbox selected | N/A | Checkbox deselected |
| Require identity verification for change of email address | Checkbox selected | N/A | Checkbox deselected |
| Remote Site | No remote sites with the Disable Protocol Security option selected | At least one remote site created with the Disable Protocol Security option selected. | N/A |
| Password question requirement | Can’t contain password | None | N/A |
| Timeout Value | 2 hours or less | 4, 8, or 12 hours | Checkbox deselected |
| Lockout effective period | 30 minutes or greater | Less than 30 minutes | N/A |
Informational Security Settings
Informational Security settings don’t affect your Health Check score, but are valuable to review.
| Setting | Compliant Value | Warning Value | Critical Value |
|---|---|---|---|
| Allow redirections to untrusted external URLs without warning | Setting is disabled | N/A | Setting is enabled |
| Days until certificate expiration | No certificates created, or all certificates have less than 180 days until expiration | Less than 180 days but more than 15 days until expiration of at least one certificate | Less than 15 days until expiration of at least one certificate |
| Key Size | All certificates have a key size of 4096 | At least one certificate has a key size of 3072 or 2048 | N/A |
| Number of Objects to which Guest User Profiles have Edit Access | 0–4 | 5–9 | 10 or more |
| Number of Objects to which Guest User Profiles have Read Access | 0–4 | 5–9 | 10 or more |
| Require permission to view record names in lookup fields | Setting is enabled | N/A | Setting is disabled |
See Also
Did this article solve your issue?
Let us know so we can improve!
