org-hardening-and-baseline-config
Use when defining or reviewing baseline org hardening settings, especially Security Health Check gaps, clickjack and browser protections, CSP and CORS governance, password/session policies, network restrictions, and release-update hygiene. Triggers: 'org hardening', 'baseline security config', 'Health Check', 'CSP trusted sites', 'clickjack protection'. NOT for feature-level app permissions or record-sharing design.
Best use case
org-hardening-and-baseline-config is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when defining or reviewing baseline org hardening settings, especially Security Health Check gaps, clickjack and browser protections, CSP and CORS governance, password/session policies, network restrictions, and release-update hygiene. Triggers: 'org hardening', 'baseline security config', 'Health Check', 'CSP trusted sites', 'clickjack protection'. NOT for feature-level app permissions or record-sharing design.
Teams using org-hardening-and-baseline-config should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/org-hardening-and-baseline-config/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How org-hardening-and-baseline-config Compares
| Feature / Agent | org-hardening-and-baseline-config | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when defining or reviewing baseline org hardening settings, especially Security Health Check gaps, clickjack and browser protections, CSP and CORS governance, password/session policies, network restrictions, and release-update hygiene. Triggers: 'org hardening', 'baseline security config', 'Health Check', 'CSP trusted sites', 'clickjack protection'. NOT for feature-level app permissions or record-sharing design.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Org Hardening And Baseline Config Use this skill when the question is "what should every serious org have locked down before feature work keeps expanding the blast radius?" Hardening is not one setting. It is the baseline combination of browser protections, session and password controls, network policy, release-update discipline, and exception management. --- ## Before Starting Gather this context before working on anything in this domain: - Is this a new org baseline, an inherited production org, or a regulated environment with stricter controls? - Which browser, mobile, integration, and network behaviors are actually required? - Does the org already track exceptions for CSP, CORS, IP allowlists, or other trust decisions? --- ## Core Concepts ### Health Check Is A Starting Point Security Health Check is useful, but a good score does not replace deliberate review of browser protections, session behavior, trusted sites, and release updates. Baseline hardening is broader than one score. ### Browser And Trust Controls Need Governance CSP Trusted Sites, CORS allowlists, clickjack protections, and similar browser-facing controls should be treated as risk decisions. Every exception should have a reason and an owner. ### Session And Authentication Settings Are Baseline Security Password policy, session timeout, login hours, IP policies, and login restrictions often matter more than teams realize because they define how much damage routine credential compromise can do. ### Release Updates Are Part Of Hardening Critical updates and security-related release settings are operational work, not optional cleanup. Teams that never revisit them accumulate preventable risk and surprise. --- ## Common Patterns ### New-Org Baseline Checklist **When to use:** A new org or business unit needs a repeatable security baseline. **How it works:** Define minimum settings for browser protections, session policy, network restrictions, and security review cadence before apps proliferate. **Why not the alternative:** Retrofitting hardening after many integrations and exceptions exist is slower and politically harder. ### Exception Register For Trusted Sites **When to use:** The org uses CSP Trusted Sites, CORS allowlists, or similar trust exceptions. **How it works:** Record owner, purpose, and review date for each exception instead of letting them accumulate silently. ### Quarterly Release-Hardening Review **When to use:** The org runs continuously and wants a practical hardening cadence. **How it works:** Review Health Check changes, critical updates, browser trust settings, and stale exceptions on a fixed operational schedule. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | New org or major environment setup | Establish baseline hardening checklist early | Easier than retrofitting later | | Many trusted-site and allowlist exceptions exist | Create explicit exception governance | Trust sprawl is still risk | | Team relies only on Health Check score | Expand review to browser, network, and release settings | Score alone is not the full baseline | | Release updates are handled ad hoc | Create a recurring hardening cadence | Security posture drifts without it | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner activating this skill: 1. Gather context — confirm the org edition, relevant objects, and current configuration state 2. Review official sources — check the references in this skill's well-architected.md before making changes 3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above 4. Validate — run the skill's checker script and verify against the Review Checklist below 5. Document — record any deviations from standard patterns and update the template if needed --- ## Review Checklist Run through these before marking work in this area complete: - [ ] Security Health Check is reviewed, but not treated as the whole baseline. - [ ] CSP, CORS, and trusted-site exceptions are documented and owned. - [ ] Session, password, and network restrictions reflect real policy. - [ ] Clickjack and browser protections are reviewed deliberately. - [ ] Critical updates and release security settings have an operating cadence. - [ ] The org can explain why each trust exception still exists. --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **A good Health Check score can hide real gaps** - browser and exception governance still matter. 2. **Trusted sites linger forever unless someone owns them** - convenience exceptions become permanent risk. 3. **Release updates are security work** - delaying them casually creates future outages and blind spots. 4. **Hardening decisions are cross-functional** - security, admins, and integration teams all affect the baseline. --- ## Output Artifacts | Artifact | Description | |---|---| | Hardening checklist | Baseline control list for the org or environment | | Security config review | Findings on browser, session, network, and release controls | | Exception register guidance | Operational model for trusted-site and allowlist governance | --- ## Related Skills - `security/permission-set-groups-and-muting` - use when access-bundle design is the real issue instead of baseline org controls. - `admin/connected-apps-and-auth` - use when connected apps and integration auth are the main hardening focus. - `security/security-health-check` - use when the question is specifically about interpreting or using Health Check itself.
Related Skills
api-only-user-hardening
Provision and harden integration (API-only) users: no UI login, IP restrictions, minimum permission set, session lifetime, and monitoring. NOT for human admin account hardening.
lwc-public-api-hardening
Use when an LWC exposes `@api` properties, `@api` methods, or design attributes in `<targetConfig>` and you need a defensive, predictable public contract. Covers runtime type coercion (the `@api` decorator does NOT enforce JS types — `recordId` is always a string even if you declared it Number), required-vs-optional `@api` validation in `connectedCallback`, getter/setter pairs for reactive normalisation, design-attribute typing in js-meta.xml (datasource picker, dataType, supported objects, default values, propertyType), kebab-case ↔ camelCase rules, and namespace prefix handling. NOT for component-to-component messaging design (see `component-communication`), NOT for App Builder exposure / surface targeting (see `lwc-app-builder-config`), NOT for Custom Property Editors for Flow (see `custom-property-editor-for-flow`).
lwc-app-builder-config
Use when an LWC needs to appear, be configured, and be constrained inside Lightning App Builder, Experience Builder, Home Page, or Flow screens via its js-meta.xml file — including isExposed, targets, targetConfigs, supportedFormFactors, objects scoping, and admin-facing design attributes. Triggers: 'lwc not appearing in app builder', 'expose lwc to record page', 'design attribute datasource picklist', 'supportedformfactors mobile small', 'targetconfigs for record page vs app page', 'masterlabel vs description'. NOT for custom property editors for Flow (see `custom-property-editor-for-flow`), and NOT for Experience Cloud theming at the page level.
service-console-configuration
Use this skill to configure a Lightning Service Console app in Salesforce — setting Console Navigation (split view), defining workspace tabs and subtabs, configuring the utility bar with Omni-Channel, Macros, and History, creating Quick Text entries, setting up keyboard shortcuts, and defining navigation rules per object. Trigger keywords: Service Console, console app, workspace tabs, subtabs, utility bar macros, Omni-Channel utility, split view, Quick Text, console navigation rules, keyboard shortcuts service console. NOT for generic Lightning app creation (use app-and-tab-configuration), NOT for Omni-Channel routing configuration (use omni-channel-routing), NOT for CTI adapter installation (use open-cti-setup), NOT for Einstein Bot or Messaging setup.
org-setup-and-configuration
Use when configuring org-wide platform settings: MFA enforcement, My Domain setup and deployment, session timeout and security settings, password policies, trusted IP ranges (Network Access), and CSP Trusted Sites. Trigger keywords: 'MFA setup', 'My Domain', 'session settings', 'password policy', 'trusted IP ranges', 'CSP trusted sites'. NOT for user-level login restrictions (use user-management), NOT for permission model design (use permission-sets-vs-profiles), NOT for security audit and hardening review (use security/org-hardening-and-baseline-config).
omnistudio-admin-configuration
Use when configuring OmniStudio at the org level: enabling Standard Runtime, selecting the Runtime Namespace, assigning Permission Set Licenses, toggling feature settings, and granting Experience Cloud community access. Trigger keywords: OmniStudio Settings, Standard OmniStudio Runtime, managed package runtime, runtime namespace, OmniStudio Permission Set, OmniStudio PSL. NOT for OmniScript design, DataRaptor authoring, or namespace migration away from Vlocity packages.
household-model-configuration
Use this skill when configuring the Financial Services Cloud (FSC) household data model — including Household record type setup, Primary Group assignment, ACR-based membership, rollup field inclusion, and batch rollup scheduling. NOT for NPSP household account configuration (use admin/npsp-household-accounts), non-FSC Account hierarchies, or standard Contact-Account relationships outside of FSC.
fsl-sla-configuration-requirements
Use this skill to configure SLA enforcement for Salesforce Field Service (FSL) using Work Order entitlement processes: designing entitlement processes of type Work Order, defining FSL milestones (response time, on-site arrival, resolution), wiring milestone actions, and aligning Business Hours with service territory Operating Hours. NOT for Service Cloud Case SLAs, case escalation rules, or omni-channel routing — Case entitlement processes are a separate skill.
email-to-case-configuration
Configuring Salesforce Email-to-Case: Standard vs On-Demand mode selection, routing address setup, email threading via Lightning tokens, auto-response rules, attachment limits, and per-address case field defaults. Use when setting up a new Email-to-Case channel, troubleshooting duplicate cases from customer replies, or choosing between On-Demand and Standard mode. Trigger keywords: email-to-case, routing address, on-demand email-to-case, email threading, case from email, email agent, routing address setup. NOT for email templates or letterheads (use email-templates-and-alerts). NOT for Omni-Channel routing of case work items after creation (use omni-channel-routing-setup). NOT for Web-to-Case or inbound-only chat channels.
configuration-workbook-authoring
Author the Salesforce Configuration Workbook — the structured, reviewable handoff document an admin uses to execute a feature across Objects/Fields, Page Layouts, Profiles/PSGs, Sharing, Validation, Automation, List Views, Reports, Integrations, and Data. Triggers: 'salesforce configuration workbook', 'admin handoff document', 'implementation workbook'. NOT for object design itself (use admin/custom-field-creation, admin/lookup-and-relationship-design, agents/object-designer/AGENT.md), NOT for permission set design (use admin/permission-set-architecture, agents/permission-set-architect/AGENT.md), NOT for Flow construction (use skills/flow/* and agents/flow-builder/AGENT.md), and NOT for the deployment manifest (use skills/devops/metadata-api-retrieve-deploy).
commerce-checkout-configuration
Use this skill when configuring Salesforce B2B or D2C Commerce checkout: payment methods, shipping/tax integration, guest checkout, order summary setup, and CartCheckoutSession state orchestration. Trigger keywords: checkout flow, payment adapter, shipping tax integration, guest checkout, order summary, CartCheckoutSession, Managed Checkout, Commerce checkout flow. NOT for CPQ quoting, Checkout.com account management, or Service Cloud Order Management post-fulfillment logic.
care-plan-configuration
Use this skill when configuring care plan templates, care plan problems, goals, and tasks in Salesforce Health Cloud — covering both the Integrated Care Management (ICM) model (Spring '23+, FHIR R4-aligned, recommended) and the legacy managed-package model (CarePlanTemplate__c + Case Tasks). Trigger keywords: care plan template, ICM care plan, PGI library, action plan template, problem definition, goal definition, care plan setup. NOT for general case management configuration, non-Health-Cloud task management, or clinical program enrollment (see admin/care-program-management).