FAQ-000524 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

While protected custom metadata within namespaced packages offers some isolation for storing SFTP secrets, **Named Credentials are the recommended approach** for secure credential storage. Named Credentials provide enterprise-grade security features including encryption at rest, secure authentication flows, and centralized credential management. If you must use protected custom metadata: - Ensure the metadata is truly protected and namespace-isolated - Implement proper access controls to prevent unauthorized retrieval - Never hardcode secrets directly in code or expose them in logs - Consider additional encryption for sensitive values However, evaluate whether Named Credentials or other Salesforce-native credential management solutions better meet your security requirements.

The original answer was too permissive without clearly highlighting the superior security option. The recommended update preserves all original points about protected custom metadata being acceptable when implemented correctly, while leading with the security best practice of using Named Credentials. This aligns with the ApexSuggestUsingNamedCred rule which specifically suggests using Named Credentials instead of hardcoded credentials. The update maintains the same structure and length while improving security guidance clarity. Regarding the selected security rules: - **ApexSuggestUsingNamedCred**: Directly relates to the FAQ's discussion of storing SFTP secrets, as this rule suggests using Named Credentials instead of hardcoded credentials, which applies to the credential storage scenario described. - **AvoidHardcodedCredentialsInFieldDecls**: Relevant because storing SFTP secrets in custom metadata fields could involve hardcoded credentials in field declarations, which this rule flags. - **AvoidHardcodedCredentialsInVarDecls**: Applies to the FAQ content about securely storing SFTP secrets, as developers might declare variables with hardcoded credentials when working with custom metadata. - **AvoidHardcodedCredentialsInVarAssign**: Related to the FAQ's credential storage discussion, as this rule catches hardcoded credential assignments which could occur when retrieving/setting SFTP secrets from custom metadata. - **ProtectSensitiveData**: Directly applicable since SFTP secrets are sensitive data that need protection, matching the FAQ's focus on secure storage of credentials.