6 Salesforce security configuration settings worth getting right

More than 150,000 organizations run their sales, customer service, and business operations on Salesforce. That scale also makes it one of the most attractive targets in the SaaS landscape—a single compromised instance can expose customer records, sales data, support cases, and sensitive communications.

‍

The stakes became clear in early 2025, when threat actors breached SalesLoft Drift and stole OAuth tokens for Salesforce integrations, ultimately impacting more than 750 companies.

‍

Salesforce gives you strong native security controls. The challenge is knowing which ones matter most, configuring them correctly, and catching drift before it becomes a problem.

‍

Below, we walk through six Salesforce security settings worth prioritizing—and show how ongoing posture monitoring helps you catch misconfigurations before they become incidents.

‍

1. MFA and SSO enforcement

Salesforce has required MFA for all users since 2022, but enforcement gaps remain common—especially when SSO isn't enforced and users can authenticate directly with a username and password, bypassing your IdP entirely.

‍

Enforcing SSO at the Salesforce level closes that gap:

• Blocks direct username/password access that bypasses your IdP's security controls
• Ensures MFA is applied uniformly, including to users who might otherwise be exempt
• Surfaces any users actively bypassing SSO, so you can remediate

To configure: In Salesforce Setup, go to Identity → Single Sign-On Settings to enforce SSO. For MFA, navigate to Setup → Identity → Identity Verification and ensure MFA is required. See Salesforce's MFA guidance for details.

‍

2. Password policies

Even with SSO enforced, password policies still apply to accounts that fall back to local authentication. Salesforce gives admins granular control over complexity, history, and rotation requirements.

• Set minimum password length and complexity requirements (uppercase, numeric, special characters)
• Enforce password history to prevent reuse of recent passwords
• Configure a maximum password age to prompt regular rotation

To configure: Navigate to Setup → Security → Password Policies in the Salesforce Admin Console. Policies can be set org-wide or scoped to specific user profiles.

‍

3. Session timeout settings

Session timeouts automatically end inactive or expired user sessions after a set period—limiting how long stolen credentials or tokens stay useful. This was a key control highlighted by the SalesLoft/Drift breach, where attackers used stolen OAuth tokens to access customer Salesforce environments long after the initial compromise.

‍

Configuring session timeouts correctly:

• Limits the usability of stolen session and OAuth tokens by enforcing expiration
• Reduces risk from malware that exfiltrates browser access tokens
• Can be scoped to higher-risk profiles (e.g., admins, API users) for stricter controls

To configure: Go to Setup → Security → Session Settings. Set the Timeout Value to an appropriate duration (e.g., 2 hours for standard users, shorter for privileged accounts). Review Salesforce session security documentation for additional options.

‍

4. Connected app and OAuth governance

OAuth grants bypass standard authentication flows entirely, meaning a stolen token gives an attacker direct access to your Salesforce data—no MFA required. Salesforce provides controls to govern which connected apps can be authorized and by whom—use them to:

• Require admin approval before users can authorize new connected app integrations
• Implement IP range restrictions on connected app access to block token use from unexpected locations (as Okta did to contain the Drift breach)
• Audit existing OAuth grants and revoke access for unused or unrecognized connected apps

To configure: Navigate to Setup → Apps → Connected Apps → Connected App OAuth Usage to review active OAuth grants. To require admin approval for new authorizations, edit individual connected app policies under Setup → Apps → Connected Apps → Manage Connected Apps. See Salesforce connected app security documentation.

‍

5. Least privilege and permission set management

In mature Salesforce orgs, permissions tend to accumulate over time as users change roles or leave the organization. Regularly auditing permission sets and profiles ensures users only have access to what they actually need.

• Audit user profiles and permission sets to ensure access aligns with current job responsibilities
• Remove or downgrade permissions for users who have changed roles or are no longer active
• Restrict access to sensitive objects (e.g., Cases, Contacts, Reports) to only those who need it

To configure: Review user permissions under Setup → Users → Permission Sets and Setup → Users → Profiles. Use Setup → Security → Permission Set Groups to manage bundled access. Salesforce's permission sets overview is a useful starting reference.

‍

6. File upload and guest user controls

Permissive file upload settings and overly broad guest user access are two commonly overlooked risk areas in Salesforce. The SalesLoft breach underscored the danger: attackers searched support case attachments for credentials shared by customers.

• Block uploads of potentially dangerous file types (e.g., executables, scripts) via Salesforce's file upload security settings
• Disable file uploads from guest users to prevent unauthenticated data staging
• Review and restrict guest user profiles to the minimum necessary object access

To configure: Navigate to Setup → Security → File Upload and Download Security to control permitted file types. For guest user access, review Setup → Sites and audit the associated guest user profile permissions. See Salesforce guidance on securing guest user access.

‍

How SSPM can help

Salesforce does offer a free native tool, Health Check, that provides a snapshot of your org's security posture against Salesforce's baseline recommendations. It's a useful starting point, but it only covers your Salesforce configuration in isolation. As your SaaS stack grows, maintaining consistent security across Salesforce and every app connected to it requires a broader approach.

‍

Nudge Security offers Salesforce security posture management as part of a broader SaaS security and governance solution—and automatically detects common misconfigurations, including:

• MFA not enforced or users actively bypassing SSO
• Overly permissive guest user profiles with access to sensitive objects or APIs
• Session timeout values set too high or left at insecure defaults
• Unrestricted file uploads or dangerous file types permitted
• Connected apps with excessive OAuth scopes or no admin approval requirement

Take a look at this demo to see how Nudge Security helps you secure your Salesforce environment:

‍

‍

Nudge Security gives you ongoing visibility into Salesforce—and every other SaaS app in your stack—so misconfigurations don't have to become breaches. Learn more about Salesforce security with Nudge.