FAQ-000496 - Custom Settings and Configuration Security / Protected Custom Settings Security Requirements and Best Practices

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
Is storing a default key or secret in a Protected Custom Setting a secure alternative to hardcoding it in Apex code?
Answer
Yes, storing a default key or secret in a Protected Custom Setting is a secure alternative to hardcoding it in Apex code. Protected Custom Settings help ensure that sensitive data is not exposed to unauthorized users or external packages. However, it's crucial to implement proper access controls and restrict the ability to update or retrieve these settings to authorized users or processes only.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
AvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInVarAssignApexSuggestUsingNamedCred
Question
Is storing a default key or secret in a Protected Custom Setting a secure alternative to hardcoding it in Apex code?
Recommended Answer Update
Yes, storing a default key or secret in a Protected Custom Setting is a secure alternative to hardcoding it in Apex code. Protected Custom Settings help ensure that sensitive data isn't exposed to unauthorized users or external packages. However, it's crucial to implement proper access controls and restrict the ability to update or retrieve these settings to authorized users or processes only. For even better security, consider using Named Credentials, which provide built-in encryption and centralized credential management for external system authentication.
Reasoning
The FAQ content is accurate and well-structured, addressing Protected Custom Settings as a secure alternative to hardcoding credentials. I made minimal improvements to enhance clarity: changed 'is not exposed' to 'isn't exposed' for a more conversational tone per the brand guidelines. I also added a brief recommendation for Named Credentials as an even more secure alternative, which aligns with the ApexSuggestUsingNamedCred rule's purpose of promoting better credential management practices. Regarding the selected security rules: 1. AvoidHardcodedCredentialsInFieldDecls - This rule directly relates to the FAQ's discussion of avoiding hardcoded credentials in Apex code, specifically field declarations. The FAQ explicitly mentions 'hardcoding it in Apex code' as the practice to avoid. 2. AvoidHardcodedCredentialsInVarDecls - This rule addresses hardcoded credentials in variable declarations, which is part of the 'hardcoding in Apex code' that the FAQ discusses as insecure. 3. AvoidHardcodedCredentialsInVarAssign - This rule covers hardcoded credentials in variable assignments, another aspect of the hardcoding practices the FAQ advises against. 4. ApexSuggestUsingNamedCred - This rule suggests using Named Credentials for secure credential management, which is a natural progression from the Protected Custom Settings approach discussed in the FAQ and provides additional context for best practices.
Reasoning References