FAQ-000471 - Custom Settings and Configuration Security / Package Development and Managed Package Considerations

The secure and recommended way to programmatically create Remote Site Settings during package installation or setup is to use Named Credentials. Named Credentials provide a secure method to manage authentication and endpoint configuration. This ensures that connections are made via HTTPS and comply with required certificate and SSL configuration standards. Additionally, avoid specifying arbitrary servers or schemes, and always enforce the scheme as HTTPS.

The current FAQ answer is already well-aligned with security best practices and doesn't require significant changes. The content correctly recommends Named Credentials as the secure approach, emphasizes HTTPS enforcement, and mentions avoiding arbitrary servers. The answer is clear, concise, and accurate. Regarding the security rules selected: 1. **ApexSuggestUsingNamedCred**: This rule directly relates to the FAQ's core recommendation of using Named Credentials. The FAQ states 'use Named Credentials' as the secure approach, which aligns perfectly with this rule's purpose of suggesting Named Credentials over hardcoded endpoints. 2. **AvoidInsecureHttpRemoteSiteSetting**: This rule relates to the FAQ's guidance about enforcing HTTPS. The FAQ explicitly states 'always enforce the scheme as HTTPS' and 'connections are made via HTTPS,' which directly addresses the security concern this rule targets. 3. **AvoidDisableProtocolSecurityRemoteSiteSetting**: This rule connects to the FAQ's emphasis on SSL configuration standards and HTTPS enforcement. The FAQ mentions 'comply with required certificate and SSL configuration standards,' which relates to maintaining proper protocol security settings.