FAQ-000493 - Custom Settings and Configuration Security / Protected Custom Settings Security Requirements and Best Practices

To avoid "Insecure Storage of Sensitive Data" violations with protected custom metadata records: 1. Store sensitive data in protected custom metadata fields with visibility set to "Protected." 2. Apply encryption to sensitive data and securely store the encryption key in a protected custom setting or another protected custom metadata field. 3. Ensure permissions for these fields are correctly configured. 4. Follow secure coding practices, such as using Apex Crypto calls for encryption and avoiding plain text storage of sensitive data.

I made a minor phrasing improvement by removing "API" from "protected custom metadata API fields" as this could be confusing - the visibility setting applies to the fields themselves, not specifically API fields. The term "protected custom metadata fields" is clearer and more accurate. All other content remains unchanged as it accurately reflects security best practices. The selected security rules relate to this FAQ because: ProtectSensitiveData directly addresses the core concern of preventing insecure storage of sensitive data that this FAQ is teaching about. ApexBadCrypto relates to the FAQ's recommendation to "use Apex Crypto calls for encryption" - this rule helps detect weak cryptographic practices. AvoidHardcodedCredentialsInFieldDecls relates to the FAQ's guidance about "avoiding plain text storage of sensitive data" and proper storage of encryption keys, as this rule detects hardcoded credentials in field declarations which would violate the secure storage practices described.