Salesforce Security Guide
Summer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Spring '17 (API version 39.0)
Winter '17 (API version 38.0)
Summer '16 (API version 37.0)
Spring '16 (API version 36.0)
Winter '16 (API version 35.0)
Summer '15 (API version 34.0)
Spring '15 (API version 33.0)
Winter '15 (API version 32.0)
Spring '14 (API version 30.0)
Set Password Policies
Expire Passwords for All Users
Modify Session Security Settings
Create a Login Flow
Connect a Login Flow to a Profile
Security Tips for Apex and Visualforce Development
Newer Version Available
Configure User Authentication
Choose login settings to ensure that your users are who they say they are.
-
Restrict Where and When Users Can Log In To Salesforce
You can restrict the hours during which users can log in and the range of IP addresses they can log in and access Salesforce from. If IP address restrictions are defined for a user’s profile and a login originates from an unknown IP address, Salesforce does not allow the login. These restrictions help protect your data from unauthorized access and phishing attacks. -
Set Password Policies
Improve your Salesforce org security with password protection. You can set password history, length, and complexity requirements along with other values. In addition, you can specify what to do if a user forgets their password. -
Expire Passwords for All Users
As an administrator, you can expire passwords for all users any time you want to enforce extra security for your organization. After expiring passwords, all users are prompted to reset their password the next time they log in. -
Modify Session Security Settings
You can modify session security settings to specify connection type, timeout settings, and more. -
Create a Login Flow
Use the Cloud Flow Designer to build a login flow process, then associate the finished flow with a profile. -
Connect a Login Flow to a Profile
After you create a login flow in Flow Designer and activate the flow, you associate it with a profile in your organization. Users with that profile are then directed to the login flow. -
Set Up Two-Factor Authentication
Admins enable two-factor authentication through permissions or profile settings. Users add the mobile authenticator app through their own personal settings.