Health Check Has New and Changed Security Settings

The Health Check page now has four risk categories and new names for risk statuses, so it’s easier to use. We also added, deleted, and changed some security settings.
Available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

The four security settings categories are High-Risk, Medium-Risk, Low-Risk, and Informational. The Informational settings aren’t factored into the Health Check score, but the others are. Regardless of category, each setting has a status of either compliant, warning, or critical, based on your current setting values.

The following high-risk security settings have been added:
  • Require Secure Connections
  • Require HttpOnly attribute
The following settings have been removed:
  • Disable Session Timeout Warning Popup
  • Lock Session to IP address from which they originated
  • Enable Caching and autocomplete on login pages
  • Trusted IP Ranges
The Lockout Effective Period setting has changed. The Salesforce standard baseline recommended compliant value is now 30 minutes or greater. A value less than 30 minutes shows as a warning.