FAQ-000514 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

Yes, storing bearer tokens in **public custom settings** is considered a security vulnerability. Bearer tokens are sensitive authentication data and must be stored securely. To ensure security: - Use **protected custom settings**, **protected custom metadata**, or **named credentials** for storing bearer tokens - If using custom objects, encrypt the tokens and store the encryption key in a protected custom setting or hidden custom metadata field - Enforce proper permissions to secure access

The original answer is accurate and comprehensive but contains minor punctuation inconsistencies. I removed the periods after each bullet point to maintain consistent formatting throughout the bulleted list, as the first bullet point ends without a period while the others had periods. This creates a cleaner, more professional appearance while preserving all the existing security guidance. Regarding security rules selection: - **ApexSuggestUsingNamedCred**: This rule directly relates to the FAQ's recommendation to use named credentials for storing bearer tokens, which is the primary secure storage method mentioned. - **AvoidHardcodedCredentialsInFieldDecls**: Relates to the FAQ's concern about storing bearer tokens in custom settings fields, as this rule prevents hardcoding credentials in field declarations. - **AvoidHardcodedCredentialsInVarAssign**: Connects to the broader concept of secure credential storage that the FAQ addresses, preventing credentials from being assigned to variables unsecurely. - **AvoidHardcodedCredentialsInVarDecls**: Similar to the above, this relates to the FAQ's guidance on avoiding insecure credential storage practices. - **ProtectSensitiveData**: Directly applies to the FAQ's core message that "bearer tokens are sensitive authentication data and must be stored securely" - this rule encompasses the overall protection of sensitive information like bearer tokens.