FAQ-000399 - Community and Experience Cloud Security / Data Encryption and Sensitive Information

Here are the key security and encryption guidelines for applications exposing data in public sites or communities: 1. **Data Encryption**: Use strong encryption (AES-256 or higher is recommended; AES-128 is the minimum acceptable standard) to protect sensitive data at rest. Store encryption keys securely and separately from the encrypted data. 2. **Authentication and Authorization**: Enforce strict authentication and authorization for privileged actions and access to confidential objects. Follow the principle of least privilege. 3. **Secure Data Storage**: Avoid storing sensitive data in public custom settings or metadata. Use protected custom settings or metadata fields, and encrypt sensitive data stored in object fields. 4. **Logging Practices**: Don't log sensitive data like passwords, API tokens, or encryption keys in production. Redact or omit such data from logs. 5. **Cross-Site Scripting (XSS) Protection**: Sanitize user inputs and outputs to prevent XSS attacks. Use proper encoding in Visualforce and Lightning components. 6. **Secure Entry Points**: Secure all application entry points (like Visualforce controllers and AuraEnabled methods) by enforcing sharing rules. 7. **Avoid Insecure Practices**: Don't dynamically load third-party scripts or stylesheets. Include them as static resources in the application package. 8. **Compliance with Standards**: Follow enterprise security standards and AppExchange security review guidelines to ensure secure coding practices. For more details, you can refer to the [AppExchange Security Review Guidelines](/).

The FAQ content is generally sound but needs minor refinements for clarity and current best practices. Key improvements made: (1) Clarified encryption standards by specifying AES-256 as recommended while maintaining AES-128 as minimum acceptable, (2) Fixed 'VisualForce' spelling to 'Visualforce' for consistency with Salesforce branding, (3) Improved phrasing around entry points by using 'like' instead of 'e.g.' for better conversational tone, (4) Streamlined wording in several sections for better readability. Security rules selected relate directly to FAQ content: ApexBadCrypto covers the encryption guidelines discussed in point 1; ApexSharingViolations relates to point 6 about enforcing sharing rules at entry points; ApexXSSFromEscapeFalse and ApexXSSFromURLParam directly address the XSS protection discussed in point 5; AvoidHardcodedCredentialsInFieldDecls and AvoidHardcodedCredentialsInVarDecls support the secure data storage principles in point 3; AvoidInsecureHttpRemoteSiteSetting aligns with the secure practices theme; AvoidUnescapedHtmlInAura relates to XSS protection in Lightning components mentioned in point 5; LoadCSSLinkHref and LoadJavaScriptIncludeScript directly correspond to point 7 about avoiding dynamic loading of third-party resources; ProtectSensitiveData encompasses the overall theme of points 3 and 4 about secure data handling and logging practices.