Org Configuration and Customisation Best Practices

This page documents the impact and remediation activities which should be undertaken whenever Quality Clouds reports an issue related to Org Configuration and Customisation Best Practices.

Best Practice DescriptionSeverityImpact AreaImpactRemediation
Ratio of Custom Objects to Standard Objects.

HIGH (if ratio is over 30%)

MEDIUM (if ratio is over between 20% 30%)

LOW (if ratio is between 10% and 20%)

MANAGEABILITYAn excessive ratio of custom to standard objects indicates that the out of the box processes defined by Salesforce are not being followed.Try to revert to out of the box standard processes.
Too many Apex Classes (Over 50 - Does not include Test Classes or Dowloaded Apps)MEDIUMMANAGEABILITYA high number of APEX classes indicates that the instance may be over-customised, and fails to leverage out of the box functionality included in Salesforce.Analyse the need for code customisations, and revert to out of the box whenever possible.
Too many Roles (over 20)MEDIUMMANAGEABILITYA complex Role Hierarchy can have an adverse impact on Org manageability.Simplify your role hierarchy.
Too many branches on Role HierarchyMEDIUMMANAGEABILITYA complex Role Hierarchy can have an adverse impact on Org manageability.Simplify your role hierarchy.
Too many Custom Reports over used objectsMEDIUMMANAGEABILITYA large number of reports can have an adverse impact on Org manageability. Further, it can make it hard to provide a consistent view of the enterprise data.Reduce the number of reports, increasing the parametrisation of existing ones.
Too much Dashboards over used objectsMEDIUMMANAGEABILITYA large number of dashboards can have an adverse impact on Org manageability. Further, it can make it hard to provide a consistent view of the enterprise data.Reduce the number of dashboards, increasing the parametrisation of existing ones.
Too many Profiles and Permission SetsMEDIUMMANAGEABILITYA high number of Profiles and Permission Sets can have an adverse impact on Org manageability.Reduce the number of Profiles and Permission Sets.
Too many Apex Triggers per Objects usedMEDIUMMANAGEABILITYHaving more than one Trigger associated with an Object makes it hard to keep track of the cascading effects of data modification on the Object.Keep the number of Triggers per Object to a maximum of one.
Too many Reports and Dashboards without folder assignedMEDIUMMANAGEABILITYMany Reports and Dashboards stored on the default root folder can have an adverse impact on Org manageability.Use a folder structure to store Reports and Dashboards.
The percentage of asynchronous classes is too highLOWMANAGEABILITYThe APEX asynchronous APIs should be used whenever appropriate, but only on those cases.Reduce the number of APEX classes using asynchronous APIs.
The instance has more than 5.000 lines od APEX codeWARNINGMANAGEABILITYA high number of lines of code in APEX classes indicates that the instance may be over-customised, and fails to leverage out of the box functionality included in Salesforce.Analyse the need for code customisations, and revert to out of the box whenever possible.
Coverage of Unit Tests is less than 75%WARNINGMANAGEABILITYCode can not be deployed to Production Orgs unless its percentage of Unit Test coverage is over 75%.Increase the % of Unit Test coverage. Use the Code Duplication dashboard to detect repeating code block duplicates which may indicate that code has been introduced to artificially increase unit test coverage percentages.
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabledMEDIUMSECURITYIncreased vulnerability to Cross-Site Request Forgery (CSRF) attacks.Enable this setting as described in this Salesforce knowledgebase article.
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabledMEDIUMSECURITYIncreased vulnerability to Cross-Site Request Forgery (CSRF) attacks.Enable this setting as described in this Salesforce knowledgebase article.
Clickjack protection for non-setup Salesforce pages is disabledMEDIUMSECURITYIncreased vulnerability to clickjack attacks.Enable this setting as described in this Salesforce documentation page.
Clickjack protection for customer Visualforce pages with standard headers turned on is disabledMEDIUMSECURITYIncreased vulnerability to clickjack attacks. Enable this setting as described in this Salesforce documentation page.
Clickjack protection for customer Visualforce pages with standard headers turned off is disabledMEDIUMSECURITYIncreased vulnerability to clickjack attacks. Enable this setting as described in this Salesforce documentation page.
Clickjack protection for setup pages is disabledMEDIUMSECURITYIncreased vulnerability to clickjack attacks. Enable this setting as described in this Salesforce documentation page.

The browser is not prevented from inferring the MIME type from the document content and from executing malicious files

MEDIUMSECURITYIncreased vulnerability to code injection attacks by Javascript or StyleSheet code.Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Content Sniffing protection".
Cross-domain session information is exchanged using a GET request instead of a POST requestMEDIUMSECURITYSession data is exposed when making cross-domain requests with GET requests. This is not the case with POST requests.Configure your Org to use POST requests when making cross-domain calls as described in this Salesforce documentation page.
Protection against reflected cross-site scripting attacks is disabledMEDIUMSECURITYIncreased vulnerability to cross-site scripting attacks.Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "XSS protection".
The IP addresses in Login IP Ranges are enforced only when a user logs inMEDIUMSECURITYIf this setting is disabled, the IP range filter is only enforced for the login operation. Apps included in the Org and accessed after login may make requests from IPs outside the allowed ranges.Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Enforce login IP ranges on every request"
There is not sessions time out for inactive usersMEDIUMSECURITYIncreased vulnerability to session hijack attacks.Set a timeout value. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Timeout Value"
Visualforce, Salesforce sites, or Communities must use HTTPSMEDIUMSECURITYUse of unencrypted http protocol can expose confidential data.Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Require secure connections (HTTPS)"
Prevent Unauthorised used of session IDMEDIUMSECURITYAllowing code access the Session ID cookie increases the vulnerability to session hijacking attacks.Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Require HttpOnly attribute"
HTTPS is not required to log in to or access SalesforceMEDIUMSECURITYUse of unencrypted http protocol can expose confidential data.Switch to using https protocol.
Inactivity Time WarningWARNINGSECURITYHaving this value set to a time over 30 minutes can expose you to session hijack attacks.Set this to 30 minutes or less.
Session Policy - Enable Content Security PolicyMEDIUMSECURITYIncreased vulnerability to Cross-Site Request Forgery (CSRF) attacks.
Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Enable Stricter Content Security Policy"

There are free entry Custom Fields with no data restriction

MEDIUM

MANAGEABILITY

Free entry fields with no data restriction or validations are likely to result in low quality of data being stored in the Org

Add validation rules to free entry fields.

Convert Attachments to Files

MEDIUM

MANAGEABILITY

The Attachments object is no longer supported and will soon be replaced with Salesforce Files

Convert Attachments to Files

Password Policy Complexity is too weak

HIGH

SECURITY

Potential vulnerability when accessing accounts

Modify the password complexity settings to contains special characters, an upper-lower case mixture, and numeric characters

Password Policy Expiration is too weak

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Modify the password expiration time to ninety days or less

Password Policy Repetition is too weak

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Modify the number of previous passwords saved for users to 3 or more

Password Policy Max Login Attempts too wide

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Limit the number of login failures allowed for a user before the user is locked out

Password Policy Minimum Password Length too weak

HIGH

SECURITY

Potential vulnerability when accessing accounts

Set to 8 characters or more the minimum number of characters required for a password

Password Policy: Obfuscate the Secret Answer

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Hides the secret answer associated with a password

Password Policy Password Hint contains password

MEDIUM

SECURITY

Potential vulnerability when accessing accounts

Restrict the answer to the password hint question to “DoesNotContainPassword”

The trusted IP range is too wideWARNINGSECURITYHaving an allowed IP range which is too broad makes this security technique ineffectiveUse restrictive IP ranges to enforce meaningful restrictions