Definition
Health Check is a Setup tool that evaluates the security configuration of the Salesforce org against Salesforce's recommended baseline standards. It assigns a score from 0 to 100 and identifies specific settings that are below recommendations, such as password policies, session settings, and login requirements.
Real-World Example
The admin at Granite Financial runs Health Check and receives a score of 72 out of 100. The tool flags that the minimum password length is only 8 characters (recommendation: 12), session timeout is set to 12 hours (recommendation: 2 hours), and clickjack protection is disabled. She updates each setting and reruns Health Check, achieving a score of 95.
Why Health Check Matters
Health Check is a built-in Setup tool in Salesforce that evaluates your org's security configuration against Salesforce's recommended baseline standards and assigns a score from 0 to 100. It analyzes specific security settings including password policies (minimum length, complexity requirements, expiration), session settings (timeout duration, IP restrictions), login requirements (multi-factor authentication, login IP ranges), and clickjack protection. Each setting is categorized as meeting, exceeding, or falling below Salesforce's recommendation, giving administrators a clear and actionable security improvement roadmap.
As organizations grow and multiple administrators make configuration changes over time, security settings tend to drift from best practices. A setting that was acceptable two years ago may now represent a vulnerability. Health Check provides an ongoing benchmark that administrators can run after any configuration change to verify that the org's security posture hasn't degraded. For organizations subject to compliance audits (SOC 2, HIPAA, PCI DSS), a strong Health Check score demonstrates proactive security management and provides evidence of continuous monitoring. Organizations that ignore Health Check often discover security gaps only during audits or, worse, after a security incident when it's too late to prevent damage.
How Organizations Use Health Check
- Granite Financial Services — The admin at Granite Financial runs Health Check and receives a 72 out of 100. The tool flags a minimum password length of 8 characters (recommendation: 12), a session timeout of 12 hours (recommendation: 2 hours), and disabled clickjack protection. After updating each setting and rerunning Health Check, the score jumps to 95.
- Pacific Compliance Solutions — Pacific Compliance Solutions includes Health Check in their quarterly security review process. Before every SOC 2 audit, they run the report, address any findings, and include the Health Check score as evidence of proactive security monitoring in their audit documentation package.
- Meridian Tech Startups — Meridian Tech's new Salesforce admin inherited an org with a Health Check score of 45. By systematically addressing each flagged setting over two weeks - strengthening password policies, reducing session timeouts, enabling MFA, and activating clickjack protection - she raised the score to 92 and documented each change for the CEO's quarterly security briefing.