How should I handle IP allowlist restrictions and grant security reviewers access to IP-restricted API endpoints?
Answer
To handle IP allowlist restrictions and grant security reviewers access to IP-restricted endpoints, follow these recommended methods:
1. **Update IP Allowlist**: Whitelist the IP ranges used by the security reviewers. Refer to the [Salesforce IP Addresses & Domains to Allow](/) guidelines for the correct IP ranges that need to be included.
2. **Secure Communication**: Ensure the endpoints allow secure communication using HTTPS and securely provide any necessary credentials or tokens to the reviewers.
3. **Third-Party Permissions**: Obtain any required permissions from third parties that own external endpoints before testing begins.
4. **Documentation**: Document the access process thoroughly. If adjustments to the IP restrictions aren't possible due to technical or policy constraints, document this limitation and provide a detailed explanation in your submission to the security review team.
5. **Access Process**: Clearly outline the steps reviewers need to follow to access the endpoints and provide any necessary authentication materials.
These steps ensure that security reviewers can effectively test your API endpoints while maintaining proper security controls and compliance with organizational policies.
How should I handle IP allowlist restrictions and grant security reviewers access to IP-restricted API endpoints?
Recommended Answer Update
To handle IP allowlist restrictions and grant security reviewers access to IP-restricted endpoints, follow these recommended methods:
1. **Update IP Allowlist**: Whitelist the IP ranges used by the security reviewers. Refer to the [Salesforce IP Addresses & Domains to Allow](/) guidelines for the correct IP ranges that need to be included.
2. **Secure Communication**: Ensure the endpoints use HTTPS and securely provide any necessary credentials or tokens to the reviewers.
3. **Third-Party Permissions**: Obtain any required permissions from third parties that own external endpoints before testing begins.
4. **Documentation**: Document the access process thoroughly. If adjustments to the IP restrictions aren't possible due to technical or policy constraints, document this limitation and provide a detailed explanation in your submission to the security review team.
5. **Access Process**: Clearly outline the steps reviewers need to follow to access the endpoints and provide any necessary authentication materials.
These steps ensure that security reviewers can effectively test your API endpoints while maintaining proper security controls and compliance with organizational policies.
Reasoning
The main improvement needed was in point #2 where the original text said 'allow secure communication using HTTPS' which could be interpreted as making HTTPS optional. This was changed to 'use HTTPS' to make the requirement clear and mandatory. This aligns with multiple security rules that enforce HTTPS usage for secure communications. The selected security rules are all relevant to API endpoint security and secure communications: ApexInsecureEndpoint relates to ensuring secure endpoint configurations that the FAQ discusses for API access; AvoidInsecureHttpRemoteSiteSetting and UseHttpsCallbackUrlConnectedApp both enforce HTTPS usage which directly relates to the FAQ's point about secure communication; AvoidDisableProtocolSecurityRemoteSiteSetting relates to maintaining protocol security which is relevant to the overall secure endpoint access the FAQ addresses.