FAQ-000491 - Custom Settings and Configuration Security / Protected Custom Settings Security Requirements and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What are the security requirements for storing keys in Protected Custom Settings?

Answer: The security requirements for storing keys in Protected Custom Settings include: 1. **Use Protected Custom Settings or Metadata**: Store keys in protected custom settings or protected custom metadata API fields to prevent unauthorized access. 2. **Separate Encryption Keys**: If encryption is used, store the encryption key separately in a protected custom setting or hidden custom metadata API field. 3. **Configure Permissions**: Ensure field permissions for encrypted secrets are set correctly to block unauthorized access. 4. **Use Apex Crypto for Encryption**: Rely on Apex Crypto calls for encryption instead of just using encrypted fields. 5. **Secure Management Code**: Since protected custom settings lack a built-in GUI, include secure application code to update these settings. 6. **Use the Transient Keyword**: Prevent sensitive data from being stored in the viewstate by using the `transient` keyword in code. These practices help ensure the confidentiality and integrity of sensitive data stored in Salesforce.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexBadCrypto AvoidHardcodedCredentialsInFieldDecls AvoidHardcodedCredentialsInVarAssign AvoidHardcodedCredentialsInVarDecls ProtectSensitiveData ApexSuggestUsingNamedCred

Question: What are the security requirements for storing keys in Protected Custom Settings?

Recommended Answer Update: The security requirements for storing keys in Protected Custom Settings include: 1. **Use Protected Custom Settings or Metadata**: Store keys in protected custom settings or protected custom metadata API fields to prevent unauthorized access. 2. **Separate Encryption Keys**: If encryption is used, store the encryption key separately in a protected custom setting or hidden custom metadata API field. 3. **Configure Permissions**: Ensure field permissions for encrypted secrets are set correctly to block unauthorized access. 4. **Use Apex Crypto for Encryption**: Rely on Apex Crypto calls for encryption instead of just using encrypted fields. 5. **Secure Management Code**: Since protected custom settings lack a built-in GUI, include secure application code to update these settings. 6. **Use the Transient Keyword**: Prevent sensitive data from being stored in the viewstate by using the `transient` keyword in code. These practices help ensure the confidentiality and integrity of sensitive data stored in Salesforce.

Reasoning: The FAQ content is well-structured and accurate. No significant changes were needed as the content appropriately covers security requirements for protected custom settings. The related security rules were selected because they directly relate to the content discussed: ApexBadCrypto relates to point #4 about using Apex Crypto for encryption, AvoidHardcodedCredentialsInFieldDecls/VarAssign/VarDecls relate to points #1 and #2 about proper storage of keys and credentials rather than hardcoding them, ProtectSensitiveData relates to the overall theme of protecting sensitive information like keys, and ApexSuggestUsingNamedCred relates to the broader context of secure credential management. The FAQ explicitly discusses storing keys securely (points #1-2), proper encryption practices (#4), secure coding practices (#5-6), and permission configuration (#3), all of which align with these security rules' purposes.

Reasoning References

Current FAQ