FAQ-000523 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

No, it's not acceptable to store user-provided API credentials in custom metadata with "Any user with Customize App permission" access. Sensitive data like API credentials must be stored securely using protected custom settings, protected custom metadata, or encrypted custom objects with proper encryption key management. This ensures access is restricted and the data isn't exposed to unauthorized users.

Made minor improvements to enhance clarity and readability while preserving all original content and meaning. Changed "it is not acceptable" to the more conversational "it's not acceptable" and simplified "such as API credentials" to "like API credentials" for better flow. The phrase "with the encryption key stored securely" was streamlined to "with proper encryption key management" to be more concise while maintaining the same meaning. These changes align with the conversational tone guidelines while keeping the technical accuracy intact. For ApexSuggestUsingNamedCred: This rule is directly relevant because it suggests using Named Credentials for storing API credentials securely, which aligns perfectly with the FAQ's discussion about proper storage of "user-provided API credentials" and the security concerns around improper credential storage. For ProtectSensitiveData: This rule is highly relevant as it focuses on protecting sensitive data from unauthorized access, which directly matches the FAQ's core message about ensuring "API credentials must be stored securely" and that "access is restricted and the data is not exposed to unauthorized users."