FAQ-000513 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

Yes, storing external API credentials in **public custom settings** is a security vulnerability. Public custom settings are accessible and modifiable by the org admin and other packages or untrusted code within the subscriber org. To mitigate this risk, use **protected custom settings** or **protected custom metadata**. These options securely store sensitive data like API credentials and prevent unauthorized access. For the most secure approach, consider using **Named Credentials**, which provide built-in credential management and eliminate the need to store credentials in your code or custom settings entirely.

The FAQ content is accurate and well-structured, but it can be improved by mentioning Named Credentials as the most secure best practice for API credential management. This addition enhances the answer without removing any existing information. The current content correctly identifies the security vulnerability of public custom settings and provides appropriate mitigation strategies with protected settings. Adding Named Credentials as a recommendation aligns with modern Salesforce security best practices. Regarding the selected security rules: - ApexSuggestUsingNamedCred: This rule directly relates to the FAQ's discussion of storing API credentials, as it suggests using Named Credentials instead of hardcoding credentials - AvoidHardcodedCredentialsInFieldDecls: Relates to the FAQ's warning about storing credentials in custom settings (field declarations) - AvoidHardcodedCredentialsInVarAssign: Connected to the broader topic of avoiding credential storage in code/settings - AvoidHardcodedCredentialsInVarDecls: Also relates to avoiding credential storage in variable declarations - ProtectSensitiveData: Directly applicable as API credentials are sensitive data that need protection, which is the core topic of this FAQ