Is it secure to store API keys in a public Custom Setting?
Answer
No, it is not secure to store API keys in a public Custom Setting. Public Custom Settings are accessible and modifiable by the org admin and other packages or untrusted code within the subscriber org, which poses a security risk. It is recommended to use protected Custom Settings, protected Custom Metadata, or Named Credentials for secure storage of sensitive data like API keys.
Is it secure to store API keys in a public Custom Setting?
Recommended Answer Update
No, it's not secure to store API keys in a public Custom Setting. Public Custom Settings are accessible and modifiable by the org admin and other packages or untrusted code within the subscriber org, which poses a security risk. It's recommended to use protected Custom Settings, protected Custom Metadata, or Named Credentials for secure storage of sensitive data like API keys.
Reasoning
The original answer is technically accurate and comprehensive, but uses unnecessarily formal language that doesn't align with the conversational, direct tone outlined in the brand guidelines. The changes make the response more concise and natural while preserving all the original information and security guidance. Two security rules directly relate to this FAQ: ApexSuggestUsingNamedCred specifically addresses the recommendation to use Named Credentials for storing credentials (which the FAQ mentions as a secure alternative), and ProtectSensitiveData relates to the core concern of protecting sensitive information like API keys from unauthorized access. The FAQ's discussion of public Custom Settings being 'accessible and modifiable by the org admin and other packages or untrusted code' directly aligns with ProtectSensitiveData's purpose of preventing sensitive data exposure. The recommendation for 'Named Credentials' in the answer directly matches ApexSuggestUsingNamedCred's guidance to use Named Credentials instead of hardcoded credentials.