FAQ-000483 - Custom Settings and Configuration Security / Post-Installation Configuration and Customer Setup

To securely implement setup pages that allow users to update protected custom metadata, developers should follow these best practices: 1. **Secure Access Control**: Use a REST API endpoint restricted to specific profiles or permission sets, ensuring only authorized users can make changes. 2. **Apex Class Design**: Ensure the Apex class handling updates is thoroughly vetted and designed solely for updating the protected custom metadata without unintended actions. 3. **View State Protection**: Use the `transient` keyword in your code to prevent sensitive data from being stored in the view state. 4. **Secure Key Management**: If encryption is needed, store the encryption key in a protected custom setting or a hidden custom metadata field. Configure permissions correctly for these fields and avoid hardcoding credentials directly in your code. 5. **Restrict Access**: Limit access to the setup page and related functionality to admin users or users with specific permissions to prevent unauthorized access. 6. **Documentation**: Provide clear documentation for administrators on how to manage updates securely, and include this in the package submission. By following these steps, you can ensure secure handling of protected custom metadata in your setup pages.

The changes made improve clarity and align with security best practices: 1. Changed 'Transient Keyword' to 'View State Protection' for clearer understanding of the security purpose 2. Enhanced the encryption guidance to explicitly mention avoiding hardcoded credentials, which is a critical security practice Regarding security rules selected: - **ApexCRUDViolation**: Relates to the FAQ's discussion of updating protected custom metadata, as this rule detects missing CRUD/FLS checks when accessing Salesforce data - **ApexSharingViolations**: Applies to the access control aspects mentioned in the FAQ, as this rule identifies sharing violations in Apex classes - **ApexCSRF**: Relevant to the setup page implementation mentioned in the FAQ, as this rule detects CSRF vulnerabilities in web-facing Apex - **ApexBadCrypto**: Directly relates to the encryption guidance in point 4 of the FAQ answer - **AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign**: All relate to the encryption key storage guidance in point 4, as the FAQ discusses storing encryption keys securely - **VfCsrf**: Applies to the setup page implementation if using Visualforce, complementing the CSRF protection needs