FAQ-000525 - Custom Settings and Configuration Security / Public Custom Settings and Metadata Security Concerns

It's not recommended to store OAuth client credentials (client ID and client secret) in custom metadata, even if it's only accessible to administrators. Instead, you should use Named Credentials as the preferred approach for secure credential storage. Named Credentials provide the highest level of security by encrypting sensitive data and managing authentication flows automatically. If Named Credentials aren't suitable for your use case, protected custom settings can be used as an alternative, as they provide better security for sensitive data than regular custom metadata. If you choose to use protected custom metadata, ensure it's implemented correctly to maintain security.

The original answer recommended protected custom settings as the preferred approach, which is outdated guidance. The ApexSuggestUsingNamedCred rule specifically recommends Named Credentials as the best practice for storing authentication credentials like OAuth client secrets. The updated answer now leads with Named Credentials as the preferred approach, which aligns with Salesforce's current security recommendations. I also improved the clarity by explaining why Named Credentials are superior (encryption and automatic authentication flow management). The structure and completeness of the answer remain the same, with all original points preserved but reordered to reflect current best practices. Regarding the selected security rules: - ApexSuggestUsingNamedCred: This rule directly applies because the FAQ discusses storing OAuth client credentials, and this rule specifically suggests using Named Credentials for such authentication scenarios. - AvoidHardcodedCredentialsInFieldDecls: Relevant because the FAQ addresses credential storage approaches and this rule warns against hardcoding credentials in field declarations, reinforcing why proper storage mechanisms are important. - AvoidHardcodedCredentialsInVarAssign: Applies to the broader context of credential security that the FAQ addresses, as it warns against hardcoding credentials in variable assignments. - AvoidHardcodedCredentialsInVarDecls: Related to the FAQ's discussion of secure credential storage by warning against hardcoding credentials in variable declarations. - ProtectSensitiveData: Directly relevant as OAuth client secrets are sensitive data that need protection, which is the core concern addressed in this FAQ.