Secure Your Salesforce Org

Salesforce builds security into every layer to protect your data and applications, but security is a shared responsibility. Configure authentication and access controls so your users work securely. Then set up essential protections and monitor your org's health.

• Get Started with Salesforce Security
  Whether you’re new to Salesforce, setting up a new org, or reviewing your security configuration, start here to understand the key security features and settings available in the Salesforce Platform.
• Salesforce Security Basics
  The Salesforce security features help you empower your users to do their jobs safely and efficiently. Salesforce limits exposure of data to the users that act on it. Implement security controls that you think are appropriate for the sensitivity of your data. We'll work together to protect your data from unauthorized access from outside your company and from inappropriate usage by your users.
• User Authentication and Identity Verification
  User authentication and identity verification work together to protect access to Salesforce. User authentication asks users to establish their identity with credentials, such as a username and password. Identity verification is when a user demonstrates ownership of their account by providing evidence, such as a verification code that only the user knows. Protect access to Salesforce with secure authentication and identity verification features such as multi-factor authentication (MFA), single sign-on (SSO), and passwordless login with passkeys.
• User and API Access
  Learn about giving users and APIs access to your Salesforce org and data.
• IP and Domain Access
  Add the required domains to your network allowlist, and configure IP allowlists in Salesforce.
• Email Security
  To enable Salesforce to send email, verify your email domains. And protect outbound communications with email security standards including Transport Layer Security (TLS), Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication (DMARC). And help your users complete the required verification of their email address and return email address in Salesforce.
• Certificates and Keys
  Salesforce certificates and key pairs are used for signatures that verify a request is coming from your org. They’re used for authenticated SSL communications with an external website, or when using your Salesforce org as an Identity Provider. You only need to generate a Salesforce certificate and key pair if you're working with an external website that wants verification that a request is coming from a Salesforce organization.
• Session and Browser Security
  After users log in, their sessions and browser interactions become potential targets for attack. Configure session security settings, protect against clickjacking, and manage allowlists for external URLs and origins. Then review the cookies that Salesforce Platform uses to improve functionality and accelerate processing times.
• Review Your Security Health
  Review your security configuration and get recommendations to identify and address potential vulnerabilities.
• Monitor and Audit Security in Salesforce
  Salesforce security is an ongoing practice. Audit changes to your org’s security, including field and setup changes. Track user logins, mobile device access, and user identity verification events.