FAQ-000515 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

No, storing sensitive data like Client IDs and Secrets in **Custom Metadata** isn't acceptable, even if only admins can access them. Regular Custom Metadata is visible to all users through the Salesforce API and isn't designed for sensitive data storage. For sensitive credentials like Client IDs and Secrets, use **Named Credentials** instead. Named Credentials are specifically designed for secure credential storage and automatically handle authentication without exposing secrets in your code. If Named Credentials aren't suitable for your use case, consider **Protected Custom Settings** as an alternative - they restrict access and aren't visible through standard APIs.

The original FAQ contains a significant security misconception that contradicts Salesforce security best practices. The answer incorrectly states it's "acceptable" to store sensitive data in Custom Metadata if only admins can access them. This is problematic because: 1. **Security Issue**: Custom Metadata is accessible through Salesforce APIs and isn't designed for sensitive data storage, creating potential exposure risks. 2. **Best Practice Violation**: The answer doesn't emphasize Named Credentials as the primary recommendation for storing Client IDs and Secrets, which is the Salesforce-recommended approach. 3. **Misleading Guidance**: The phrasing suggests Custom Metadata is an acceptable primary option when it should be discouraged for sensitive credentials. The updated answer corrects these issues by clearly stating that Custom Metadata isn't acceptable for sensitive data, leading with Named Credentials as the proper solution, and positioning Protected Custom Settings as a secondary alternative only when Named Credentials aren't suitable. Regarding the selected security rules: - **ProtectSensitiveData**: This rule is directly relevant because the FAQ discusses storage of sensitive data (Client IDs and Secrets). The rule focuses on protecting sensitive information, and the FAQ's guidance on where to store credentials falls squarely within this rule's scope of ensuring sensitive data is properly protected. - **ApexSuggestUsingNamedCred**: This rule specifically suggests using Named Credentials for managing authentication credentials. The FAQ discusses storing "Client IDs and Secrets" which are exactly the type of authentication credentials that this rule addresses. The rule's purpose of promoting Named Credentials usage directly applies to the FAQ's subject matter of credential storage.