The IP addresses in Login IP Ranges are enforced only when a user logs in
Impact area
Security
Severity
Medium
Affected element
Org Config
Rule ID
SF-0166
Impact
If this setting is disabled, the IP range filter is only enforced for the login operation. Apps included in the Org and accessed after login may make requests from IPs outside the allowed ranges.
Remediation
Enable this setting. From Setup, enter "Session Settings" in the Quick Find box, then select Session Settings. Then enable "Enforce login IP ranges on every request".
Time to fix
30 min
References
This rule is linked to Common Weakness Enumeration CWE-284 Improper Access Control.