Health Check
Health Check is a Setup tool that evaluates the security configuration of the Salesforce org against Salesforce's recommended baseline standards.
Definition
Health Check is a Setup tool that evaluates the security configuration of the Salesforce org against Salesforce's recommended baseline standards. It assigns a score from 0 to 100 and identifies specific settings that are below recommendations, such as password policies, session settings, and login requirements.
In plain English
“Here's a simple way to think about it: Health Check turns "is our org secure?" from opinion into a score. Salesforce evaluates dozens of security settings against a baseline and returns a number you can act on - a 70 means specific things, and the page tells you exactly what to change.”
Worked example
The admin at Granite Financial runs Health Check and receives a score of 72 out of 100. The tool flags that the minimum password length is only 8 characters (recommendation: 12), session timeout is set to 12 hours (recommendation: 2 hours), and clickjack protection is disabled. She updates each setting and reruns Health Check, achieving a score of 95.
Why Health Check turns "is our org secure?" from opinion into score
"Is our org secure?" is impossible to answer in the abstract. Health Check is Salesforce's attempt to make it answerable in the concrete. The tool evaluates dozens of security-relevant settings - password policies, session timeouts, login IP ranges, certificate expirations - against Salesforce's recommended baseline (or a custom baseline you define) and produces a single score with line-item findings. A 70 means specific things; the page tells you exactly what to change to reach 80.
The reason it's most useful as a recurring discipline rather than a one-time check is that the underlying settings drift. Someone widens an IP range for a vendor and forgets to narrow it back; password policy is reset during a sandbox refresh; a certificate ages closer to expiration. Run Health Check monthly, share the score with the security stakeholder, and treat declines as small fires worth investigating rather than waiting for the score to drop dramatically.
How to set up Health Check
Health Check is Salesforce's built-in security audit dashboard — it scores your org against the Salesforce Baseline Standard (or a custom baseline you upload) and flags settings that fall short. You don't "set up" Health Check; you run it, then fix the actual underlying settings it flags.
- Open Setup → Health Check
Setup gear → Quick Find: Health Check → Health Check.
- Review the score against the Salesforce Baseline Standard
Score is 0-100. Anything under 80 means meaningful gaps. The dashboard groups findings by High / Medium / Low / Informational risk.
- Drill into a finding to see the gap
Each finding shows your current value vs the baseline value. The Edit button takes you straight to the Setup page that controls it.
- Adjust the underlying setting
Health Check is read-only — you fix Session Settings, Password Policies, Sharing Settings, etc. on their own pages, then Health Check picks up the new value.
- (Optional) Upload a Custom Baseline
Setup → Health Check → Custom Baselines tab → Upload XML. Lets you define your own thresholds when industry compliance differs from Salesforce defaults.
- Re-run Health Check
Live dashboard — values update on next page load. Good practice to run it monthly or after major Setup changes.
The default baseline. Reflects Salesforce's current security recommendations.
Upload your own thresholds. Useful for FedRAMP, HIPAA, or other compliance regimes.
High Risk findings should be addressed first; Medium should be planned; Low and Informational are best-effort.
- Health Check is read-only. The Edit button on each finding takes you to the underlying Setup page — fix the actual setting there, not in Health Check.
- Custom Baselines override the Salesforce Baseline Standard for the categories you define. Findings outside your custom baseline still use Salesforce defaults — this is intentional.
- Score moves slowly. Fixing one High Risk finding can move you from 65 to 78. Don't expect linear progress — some findings are weighted heavily.
How organizations use Health Check
Monthly Health Check became the security team's lead indicator; sustained score declines surface architectural drift before it becomes incidents.
Compliance team uses Health Check as audit evidence; the score and findings are reproducible and dated.
Quarterly Health Check baseline reviews caught a vendor's IP-range request that had widened login access; the team narrowed it back.
Trust & references
Straight from the source - Salesforce's reference material on Health Check.
- Security Health CheckSalesforce Help
- How Is the Health Check Score Calculated?Salesforce Help
Test your knowledge
Q1. Why is understanding Health Check important for Salesforce admins?
Q2. In which area of Salesforce would you typically find Health Check?
Q3. What is the primary benefit of Health Check for Salesforce administrators?
Discussion
Loading discussion…