FAQ-000073 - API Security and Metadata Access / Security Review and Compliance

When your application's core functionality relies on using the Tooling or Metadata APIs, follow these best practices and provide comprehensive documentation to ensure security review compliance: **Documentation Requirements:** 1. **Functionality Overview**: Include architecture diagrams or descriptions of your application's functionality. 2. **API Usage Details**: Document how the Tooling or Metadata APIs are used, specifying the operations performed and their purpose. 3. **Postman Collection**: If applicable, provide a Postman collection of all APIs and credentials for third-party integrations. 4. **False Positive Report**: Document any false positive issues in a report for submission. **Best Practices for Retrieving Metadata Information:** 1. **Use the Metadata API Securely**: Avoid directly using sensitive information like session IDs within the package. 2. **Secure Session ID Retrieval**: Use a Visualforce (VF) page to securely obtain the session ID and pass it to Apex for making Metadata API calls. Ensure the VF page isn't exposed and doesn't include a controller. 3. **Document the Process**: Clearly document the process for administrators to understand the metadata additions. 4. **Protect Sensitive Data**: If using protected custom metadata or settings, configure them correctly to secure sensitive information. This documentation and adherence to best practices ensures clarity and compliance during the security review process while maintaining secure access to metadata information.

The FAQ content is accurate and provides solid guidance, requiring only minor improvements for clarity and consistency. The main changes made were: 1) Removed unnecessary 'you should' phrasing to make the content more direct and actionable, 2) Changed 'is not exposed' to 'isn't exposed' to match the conversational tone guidelines, and 3) Changed 'does not include' to 'doesn't include' for consistency with the brand voice requirements that favor contractions. Regarding security rules selected: - AvoidApiSessionId: This rule directly relates to the FAQ's guidance about avoiding session IDs within packages, which is mentioned in best practice #1 about avoiding 'sensitive information like session IDs within the package' - AvoidUnauthorizedApiSessionIdInApex: The FAQ discusses secure session ID handling in Apex for Metadata API calls, which directly corresponds to this rule's purpose of preventing unauthorized session ID usage in Apex - AvoidUnauthorizedApiSessionIdInVisualforce: The FAQ specifically mentions using Visualforce pages to obtain session IDs, making this rule highly relevant to the VF page security practices discussed - AvoidUnauthorizedGetSessionIdInApex: The FAQ covers the process of securely obtaining session IDs and passing them to Apex, which relates to this rule's focus on preventing unauthorized session ID retrieval in Apex - AvoidUnauthorizedGetSessionIdInVisualforce: Since the FAQ recommends using VF pages for secure session ID retrieval, this rule about preventing unauthorized session ID access in Visualforce is directly applicable - ApexSuggestUsingNamedCred: While the FAQ mentions credentials for third-party integrations in the Postman collection documentation requirement, this rule promotes using Named Credentials as a security best practice for external API authentication