FAQ-000542 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

Storing customer-specific secrets in a protected custom object isn't the most secure practice. Instead, use **protected custom settings** or **protected custom metadata types**, as they're designed to handle sensitive data securely. If you must use a custom object: - Ensure the secrets are encrypted - Store the encryption key separately in a protected custom setting or metadata field - Configure proper permissions to restrict access to these fields This approach helps maintain security and compliance. Let me know if you need further guidance!

The original answer was well-structured but contained some unnecessary formality that could be streamlined for better conversational tone. Changes made: (1) Changed 'is not the most secure practice' to 'isn't the most secure practice' to use contractions and be more conversational, (2) Changed 'they are specifically designed' to 'they're designed' for conciseness and conversational tone. The technical content remains accurate and complete. Related security rules selected: ApexBadCrypto relates to the encryption recommendation for secrets storage; ApexSuggestUsingNamedCred relates to secure credential management alternatives; AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, and AvoidHardcodedCredentialsInVarAssign all relate to the core issue of storing sensitive credentials/secrets securely rather than in hardcoded or less secure ways; ProtectSensitiveData directly relates to the overall topic of protecting customer-specific secrets and sensitive data storage practices.