FAQ-000068 - API Security and Metadata Access / Automated Configuration and Remote Site Management

No, it's not permissible to use the Metadata API to create configurations like Remote Site Settings automatically or to create remote sites programmatically from Apex for Salesforce metadata services. This action requires the use of a connected app as per the guidelines. Remote site settings must be explicitly defined and tested to ensure compliance with security requirements, such as enforcing HTTPS and meeting certificate and SSL configuration standards. Arbitrary or programmatically created remote site settings aren't permitted without a reasonable business case and thorough validation.

The original answer is technically accurate and doesn't contain outdated content. However, it can be improved for clarity and tone by using more conversational language consistent with the brand guidelines. The main changes make the text more direct and natural: 'it is not permissible' becomes 'it's not permissible' and 'are not permitted' becomes 'aren't permitted' to use contractions as specified in the style guide. These changes maintain all the original technical content while making the response more conversational and easier to read. Related security rules: - **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule directly relates to the FAQ's discussion of remote site settings security requirements, specifically the mention of 'enforcing HTTPS' and 'certificate and SSL configuration standards' in the answer. - **AvoidInsecureHttpRemoteSiteSetting**: This rule connects to the FAQ's emphasis on security requirements for remote site settings, particularly the requirement for HTTPS enforcement mentioned in the answer. - **ApexSuggestUsingNamedCred**: This rule relates to the FAQ's discussion of programmatic creation of remote sites from Apex and the security implications, as Named Credentials are the recommended secure approach for external API authentication rather than programmatically managed remote sites.