FAQ-000494 - Custom Settings and Configuration Security / Protected Custom Settings Security Requirements and Best Practices

Yes, customer-provided API tokens should be encrypted before storing them in Protected Custom Settings. This ensures sensitive data is securely stored and protected from unauthorized access. However, consider using Named Credentials instead of Protected Custom Settings for storing API tokens, as Named Credentials provide better security and are the recommended approach for managing external authentication credentials. If you must use Protected Custom Settings, ensure you're using strong encryption algorithms and avoid storing encryption keys alongside the encrypted data.

The existing answer contains outdated security guidance that conflicts with modern Salesforce best practices. The main issue is that it recommends storing encryption keys in 'a separate protected custom setting or metadata,' which creates unnecessary security risks by keeping credentials within the Salesforce org's metadata. The updated answer addresses this by recommending Named Credentials as the preferred modern approach, while still acknowledging that Protected Custom Settings with proper encryption remain valid if needed. This aligns with the ApexSuggestUsingNamedCred rule which specifically recommends Named Credentials for credential management. The security rules selected are all relevant: ApexBadCrypto relates to the encryption requirement mentioned in the FAQ; ApexSuggestUsingNamedCred directly applies to the credential storage scenario described; and the three hardcoded credentials rules (AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign) all relate to the core topic of properly securing API tokens and credentials that the FAQ discusses.