FAQ-000461 - Custom Settings and Configuration Security / Custom Metadata Security and Visibility Management

Yes, protected custom metadata can be exposed through Apex REST Services for external integrations, but it must be done securely: 1. **Restrict Access**: Limit access to the Apex class handling the REST service to specific profiles or permission sets. 2. **Use Proper Authentication**: Implement proper authentication and authorization mechanisms to prevent unauthorized access. 3. **Encrypt Sensitive Data**: If sensitive information is involved, ensure the data is encrypted. However, Custom Metadata should **not** be made publicly visible for subscriber access if it involves storing sensitive data like secrets, tokens, or credentials. Instead, use **Protected Custom Metadata** or **Named Credentials** to ensure secure storage and restricted access. Public visibility of sensitive data can create security vulnerabilities and is strongly discouraged.

The FAQ contains solid security advice but has areas for improvement. I reordered the security points to prioritize authentication before encryption, as this follows a logical security hierarchy. The original order placed encryption second, but authentication is the foundational requirement for secure REST services. I also improved the clarity of the authentication point by removing redundant text ('Authentication and Authorization: Implement proper mechanisms') and making it more direct. The FAQ correctly advises against storing sensitive data in publicly visible custom metadata and appropriately recommends Protected Custom Metadata and Named Credentials as alternatives. For the related security rules: ApexInsecureEndpoint directly relates to the FAQ's discussion of securing Apex REST Services for external integrations, as it identifies insecure endpoint configurations. ApexSuggestUsingNamedCred aligns with the FAQ's recommendation to 'use Named Credentials to ensure secure storage and restricted access' instead of storing sensitive data in custom metadata. The hardcoded credentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign) relate to the FAQ's warning against storing 'sensitive data like secrets, tokens, or credentials' in custom metadata, as these rules help detect when such sensitive data might be hardcoded inappropriately.