Best Practice Description | Severity | Impact Area |
---|
Ratio of Custom Objects to Standard Objects - High | High (if ratio is over 30%) | Manageability |
Ratio of Custom Objects to Standard Objects - Medium | Medium (if ratio is over between 20% 30%) | Manageability |
Ratio of Custom Objects to Standard Objects - Low | Low (if ratio is between 10% and 20%) | Manageability |
Too many Apex Classes (Over 50 - Does not include Test Classes or Downloaded Apps) | Medium | Manageability |
Too many Roles (over 20) | Medium | Manageability |
Too many branches on Role Hierarchy | Medium | Manageability |
Too many Custom Reports over used objects | Medium | Manageability |
Too much Dashboards over used objects | Medium | Manageability |
Too many Profiles and Permission Sets | Medium | Manageability |
Avoid having more than one Apex Trigger per Object | Medium | Manageability |
Too many Reports and Dashboards without folder assigned | Medium | Manageability |
The percentage of asynchronous classes is too High | Low | Manageability |
The instance has more than 5.000 lines od APEX code | Warning | Manageability |
Coverage of Unit Tests is less than 75% | Warning | Manageability |
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabled | Medium | Security |
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabled | Medium | Security |
Clickjack protection for non-setup Salesforce pages is disabled | Medium | Security |
Clickjack protection for customer Visualforce pages with standard headers turned on is disabled | Medium | Security |
Clickjack protection for customer Visualforce pages with standard headers turned off is disabled | Medium | Security |
Clickjack protection for setup pages is disabled | Medium | Security |
The browser is not prevented from inferring the MIME type from the document content and from executing malicious files | Medium | Security |
Cross-domain session information is exchanged using a GET request instead of a POST request | Medium | Security |
Protection against reflected cross-site scripting attacks is disabled | Medium | Security |
The IP addresses in Login IP Ranges are enforced only when a user logs in | Medium | Security |
There is no sessions time out for inactive users | Medium | Security |
Visualforce, Salesforce sites, or Communities must use HTTPS | Medium | Security |
Prevent Unauthorized used of session ID | Medium | Security |
HTTPS is not required to log in to or access Salesforce | Medium | Security |
Inactivity Time Warning | Warning | Security |
Session Policy - Enable Content Security Policy | Medium | Security |
Password policy complexity too weak - No restrictions | High | Security |
Password policy complexity too weak - Alphanumeric restriction only | High | Security |
Password Policy Expiration too weak - Never | Medium | Security |
Password Policy Expiration too weak - Six months | Medium | Security |
Password Policy Expiration too weak - One year | Medium | Security |
Password Policy Repetition is too weak | Medium | Security |
Password Policy Max Login Attempts too wide | Medium | Security |
Password Policy Minimum Password Length too weak | High | Security |
Password Policy: Obfuscate the Secret Answer | Medium | Security |
Password Policy Password Hint contains password | Medium | Security |
Avoid using the Attachments Object | Medium | Manageability |