What are the recommended approaches for providing API access to security reviewers?
Answer
The recommended approaches for providing API access to security reviewers include:
1. **API Token**: Provide a testing-specific API token that does not expose sensitive information.
2. **Staging Environment**: If the staging environment URL differs from the managed package code, document the differences and explain how to access the API.
3. **Protected Custom Metadata**: Package a unique token using protected custom metadata, ensuring it cannot be edited through the License Management Application (LMA). If needed, expose a REST API endpoint restricted to specific profiles or permission sets for secure token updates.
4. **Validation and Security**: Validate all API calls originating from Salesforce and protect sensitive data using secure storage mechanisms like protected custom metadata or settings.
5. **Documentation**: Provide detailed API documentation, necessary credentials, or Postman collections to facilitate testing.
These steps should align with Salesforce security standards to ensure a secure and efficient review process.
What are the recommended approaches for providing API access to security reviewers?
Recommended Answer Update
The recommended approaches for providing API access to security reviewers include:
1. **API Token**: Provide a testing-specific API token that doesn't expose sensitive information.
2. **Staging Environment**: If the staging environment URL differs from the managed package code, document the differences and explain how to access the API.
3. **Protected Custom Metadata**: Package a unique token using protected custom metadata, ensuring it can't be edited through the License Management Application (LMA). If needed, expose a REST API endpoint restricted to specific profiles or permission sets for secure token updates.
4. **Validation and Security**: Validate all API calls originating from Salesforce and protect sensitive data using secure storage mechanisms like protected custom metadata or settings.
5. **Documentation**: Provide detailed API documentation, necessary credentials, or Postman collections to facilitate testing.
These steps should align with Salesforce security standards to ensure a secure and efficient review process.
Reasoning
The FAQ content is technically accurate and well-structured. I made minor language improvements for clarity and conciseness:
1. Changed 'does not expose' to 'doesn't expose' for more conversational tone
2. Changed 'cannot be edited' to 'can't be edited' for consistency with conversational style
3. These changes align with the brand guidelines to use contractions and be more conversational
Regarding security rules selection:
- **AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls**: These rules directly relate to the FAQ's discussion of API tokens and credential management. The FAQ mentions 'API Token' and 'unique token using protected custom metadata' which are credential-related concepts these rules address.
- **ApexSuggestUsingNamedCred**: This rule is relevant to the FAQ's discussion of secure credential storage and API access, as it promotes using Named Credentials instead of hardcoded credentials for external API calls.
- **ApexInsecureEndpoint**: This rule relates to the FAQ's mention of REST API endpoints and ensuring secure API access for reviewers, as it identifies insecure HTTP endpoints that should use HTTPS.