Org Configuration rules

The following table shows the list of Salesforce Org Config rules that are checked by Quality Clouds.

Best Practice DescriptionSeverityImpact Area
Ratio of Custom Objects to Standard Objects - High

High (if ratio is over 30%)

Manageability
Ratio of Custom Objects to Standard Objects - Medium

Medium (if ratio is over between 20% 30%)

Manageability
Ratio of Custom Objects to Standard Objects - LowLow (if ratio is between 10% and 20%)Manageability
Too many Apex Classes (Over 50 - Does not include Test Classes or Downloaded Apps)MediumManageability
Too many Roles (over 20)MediumManageability
Too many branches on Role HierarchyMediumManageability
Too many Custom Reports over used objectsMediumManageability
Too much Dashboards over used objectsMediumManageability
Too many Profiles and Permission SetsMediumManageability
Avoid having more than one Apex Trigger per ObjectMediumManageability
Too many Reports and Dashboards without folder assignedMediumManageability
The percentage of asynchronous classes is too HighLowManageability
The instance has more than 5.000 lines od APEX codeWarningManageability
Coverage of Unit Tests is less than 75%WarningManageability
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabledMediumSecurity
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabledMediumSecurity
Clickjack protection for non-setup Salesforce pages is disabledMediumSecurity
Clickjack protection for customer Visualforce pages with standard headers turned on is disabledMediumSecurity
Clickjack protection for customer Visualforce pages with standard headers turned off is disabledMediumSecurity
Clickjack protection for setup pages is disabledMediumSecurity

The browser is not prevented from inferring the MIME type from the document content and from executing malicious files

MediumSecurity
Cross-domain session information is exchanged using a GET request instead of a POST requestMediumSecurity
Protection against reflected cross-site scripting attacks is disabledMediumSecurity
The IP addresses in Login IP Ranges are enforced only when a user logs inMediumSecurity
There is no sessions time out for inactive usersMediumSecurity
Visualforce, Salesforce sites, or Communities must use HTTPSMediumSecurity
Prevent Unauthorised used of session IDMediumSecurity
HTTPS is not required to log in to or access SalesforceMediumSecurity
Inactivity Time WarningWarningSecurity
Session Policy - Enable Content Security PolicyMediumSecurity

Password policy complexity too weak - No restrictions

High

Security

Password policy complexity too weak - Alphanumeric restriction onlyHighSecurity

Password Policy Expiration too weak - Never

Medium

Security

Password Policy Expiration too weak - Six monthsMediumSecurity
Password Policy Expiration too weak - One yearMediumSecurity

Password Policy Repetition is too weak

Medium

Security

Password Policy Max Login Attempts too wide

Medium

Security

Password Policy Minimum Password Length too weak

High

Security

Password Policy: Obfuscate the Secret Answer

Medium

Security

Password Policy Password Hint contains password

Medium

Security

Avoid using the Attachments ObjectMediumManageability