FAQ-000467 - Custom Settings and Configuration Security / Package Development and Managed Package Considerations

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How can I include custom settings and metadata definitions in my managed package for storing customer-specific secrets?
Answer
To include the definition of a Custom Setting in your package for storing customer-specific secrets, you should use a Protected Custom Setting. This ensures the secrets are securely stored and not accessible to unauthorized users or external packages. You will need to create a custom UI using Visualforce, Aura, or Lightning Web Components to allow subscribers to input and manage the secrets. The UI should pass the input to an Apex class within the managed package for secure storage. Additionally, ensure that permissions for accessing and updating the secrets are restricted to admin users only. To package custom metadata types and make them visible and editable in a subscriber org, you can use "Protected Custom Metadata." This ensures the metadata is secure and accessible only through the managed package's Apex code. If the subscriber needs to edit or update the metadata, you may need to create a custom UI using Visualforce, Aura, or LWC.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDeclsApexSuggestUsingNamedCredProtectSensitiveData
Question
How can I include custom settings and metadata definitions in my managed package for storing customer-specific secrets?
Recommended Answer Update
To include the definition of a Custom Setting in your package for storing customer-specific secrets, you should use a Protected Custom Setting. This ensures the secrets are securely stored and not accessible to unauthorized users or external packages. You'll need to create a custom UI using Visualforce, Aura, or Lightning Web Components to allow subscribers to input and manage the secrets. The UI should pass the input to an Apex class within the managed package for secure storage. Additionally, ensure that permissions for accessing and updating the secrets are restricted to admin users only. To package custom metadata types and make them visible and editable in a subscriber org, you can use "Protected Custom Metadata." This ensures the metadata is secure and accessible only through the managed package's Apex code. If the subscriber needs to edit or update the metadata, you may need to create a custom UI using Visualforce, Aura, or LWC.
Reasoning
The main improvements are stylistic to align with the conversational tone guidelines: changed 'You will need' to the more conversational 'You'll need' using contractions as specified in the writing style guide. The technical content is accurate and current - Protected Custom Settings and Protected Custom Metadata are the correct approaches for securely storing customer-specific secrets in managed packages. The security guidance about restricting permissions to admin users and creating secure custom UIs is sound. Regarding the security rules selected: - AvoidHardcodedCredentialsInFieldDecls: This FAQ discusses storing 'customer-specific secrets' which directly relates to credential management in field declarations - AvoidHardcodedCredentialsInVarAssign and AvoidHardcodedCredentialsInVarDecls: The FAQ mentions using 'an Apex class within the managed package for secure storage' which involves variable handling of credentials - ApexSuggestUsingNamedCred: While the FAQ focuses on Custom Settings, it's teaching about secure credential storage patterns which relates to this rule's guidance on proper credential management - ProtectSensitiveData: The FAQ explicitly discusses storing 'customer-specific secrets' and ensuring they're 'securely stored and not accessible to unauthorized users' which directly aligns with protecting sensitive data
Reasoning References