FAQ-000213 - CSRF and DML Security Issues / General CSRF Prevention and Best Practices

Pages that perform automatic API authentication must meet these security requirements: 1. **Use OAuth**: OAuth should be the preferred authentication mechanism. Storing Salesforce username and password via OAuth flow or otherwise is not allowed. 2. **Least Privilege Permissions**: Request only the minimum permissions necessary for the app's use case. 3. **Protect Sensitive Information**: Avoid writing sensitive data like API credentials or cryptographic secrets to debug logs. 4. **Encrypt Secrets**: For server-side apps, encrypt secrets using AES-256 or higher, and securely store encryption keys. 5. **Enforce HTTPS**: Remote site settings and HTTP request endpoints must use HTTPS and comply with certificate and SSL configuration standards. 6. **Authenticate and Authorize Requests**: Ensure requests are authenticated and authorized before processing privileged actions. 7. **Use Secure Credential Storage**: Use Named Credentials or similar secure storage mechanisms instead of hardcoding secrets. For browser-based apps, leverage password managers from browsers, operating systems, or trusted third parties. These practices ensure secure API authentication processes.

Made three key updates to align with current security standards: 1) Updated encryption requirement from AES-128 to AES-256 to match modern security expectations, as AES-128 is becoming outdated. 2) Combined and clarified point 7 to emphasize Named Credentials (supported by ApexSuggestUsingNamedCred rule) as the preferred approach for server-side credential storage, while maintaining browser-specific guidance. 3) Improved clarity by restructuring the credential storage guidance to be more actionable. Selected security rules because they directly address the authentication security requirements covered in this FAQ: ApexBadCrypto relates to point 4 (encryption standards), ApexInsecureEndpoint relates to point 5 (HTTPS enforcement), ApexSuggestUsingNamedCred relates to point 7 (secure credential storage), hardcoded credential rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls) relate to points 3 and 7 (protecting sensitive information and avoiding hardcoded secrets), remote site security rules (AvoidInsecureHttpRemoteSiteSetting, AvoidDisableProtocolSecurityRemoteSiteSetting) relate to point 5 (HTTPS enforcement), and UseHttpsCallbackUrlConnectedApp relates to points 1 and 5 (OAuth implementation with HTTPS).