FAQ-000397 - Community and Experience Cloud Security / Data Encryption and Sensitive Information

To manage sensitive data in an Experience Cloud site securely: 1. **Exclude Unnecessary Fields**: Avoid querying sensitive fields that are not required for the UI, client-side code, or server-side logic. 2. **Restrict Client-Side Exposure**: Don't pass sensitive data to the client-side or display it on the UI. 3. **Enforce CRUD and FLS Checks**: Ensure proper handling of Create, Read, Update, Delete (CRUD) and Field-Level Security (FLS) checks, especially for guest users. 4. **Encrypt Sensitive Data**: Use encryption for sensitive data and securely store encryption keys in protected custom settings or metadata. These practices help protect sensitive data and maintain security compliance.

The FAQ content is generally accurate and well-structured, but contains one minor wording issue that could be improved for clarity. The original text uses 'Do not pass' which is slightly more formal than the conversational tone recommended in the brand guidelines. Changing this to 'Don't pass' makes it more conversational while maintaining the same meaning and security guidance. Regarding the selected security rules: 1. **ApexCRUDViolation** - This rule directly relates to point #3 in the FAQ which mentions 'Enforce CRUD and FLS Checks'. The FAQ specifically discusses ensuring proper handling of CRUD checks, which is exactly what this security rule validates. 2. **ApexSharingViolations** - This rule connects to point #3 regarding FLS (Field-Level Security) checks and the overall theme of data access security in Experience Cloud sites. The FAQ emphasizes proper security checks 'especially for guest users', which aligns with sharing violation concerns. 3. **ApexBadCrypto** - This rule directly applies to point #4 in the FAQ which discusses 'Use encryption for sensitive data'. The rule helps detect bad cryptographic practices, which is essential when implementing the encryption recommendations provided in the FAQ. 4. **ProtectSensitiveData** - This rule broadly applies to the entire FAQ content, which is focused on managing sensitive data securely. Points #1 and #2 specifically discuss excluding unnecessary sensitive fields and restricting client-side exposure of sensitive data, which aligns with protecting sensitive data from unauthorized access.