Is storing credentials in a public Custom Metadata Type acceptable if access is controlled by a permission?
Answer
Storing credentials in a public Custom Metadata Type is not acceptable, even if access is controlled by a permission. Public Custom Metadata Types are accessible and modifiable by the org admin and other packages or untrusted code within the subscriber org. It is recommended to use Protected Custom Metadata, Protected Custom Settings, or Named Credentials for secure storage of credentials.
Is storing credentials in a public Custom Metadata Type acceptable if access is controlled by a permission?
Recommended Answer Update
Storing credentials in a public Custom Metadata Type isn't acceptable, even with permission controls. Public Custom Metadata Types are accessible and modifiable by org admins and other packages or untrusted code within the subscriber org. Instead, use Protected Custom Metadata, Protected Custom Settings, or Named Credentials for secure credential storage.
Reasoning
The original FAQ content is accurate and secure but could be more concise and conversational following the brand guidelines. The recommended update improves clarity by using contractions ('isn't' instead of 'is not'), eliminates unnecessary verbosity ('It is recommended to' becomes 'Instead,'), and maintains a more direct tone while preserving all the original security guidance. The security rule ApexSuggestUsingNamedCred directly relates to this FAQ because it identifies patterns where developers might be storing credentials insecurely and suggests using Named Credentials instead. The FAQ specifically mentions Named Credentials as a recommended secure alternative, which aligns perfectly with what this rule promotes - moving away from insecure credential storage patterns to the more secure Named Credentials approach.