FAQ-000550 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What are the security best practices for storing potentially sensitive data in Custom Metadata Types?

Answer: Here are the security best practices for storing potentially sensitive data in Custom Metadata Types: 1. **Use Protected Custom Metadata Types**: Ensure sensitive data is not exposed by avoiding public visibility for fields containing sensitive information. 2. **Encrypt Sensitive Data**: Encrypt data before storing it, and store the encryption key separately in a protected custom setting or metadata field. 3. **Configure Permissions**: Properly configure permissions for fields with encrypted secrets to prevent unauthorized access. 4. **Avoid Encrypted Fields for Authentication**: Use named credentials or protected custom settings for authentication data instead of encrypted fields. 5. **Restrict Access**: Implement access controls to limit updates or modifications of sensitive data to specific profiles or permission sets. 6. **Use Apex Crypto for Encryption**: Use Apex Crypto calls for encryption and decryption, adhering to enterprise security standards. 7. **Prevent Sensitive Data in Logs**: Avoid writing sensitive data to debug logs or exposing it through the user interface. These practices help protect sensitive data and ensure compliance with security standards.

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexBadCrypto ApexSuggestUsingNamedCred AvoidHardcodedCredentialsInFieldDecls AvoidHardcodedCredentialsInVarAssign AvoidHardcodedCredentialsInVarDecls ProtectSensitiveData

Question: What are the security best practices for storing potentially sensitive data in Custom Metadata Types?

Recommended Answer Update: Here are the security best practices for storing potentially sensitive data in Custom Metadata Types: 1. **Use Protected Custom Metadata Types**: Ensure sensitive data isn't exposed by avoiding public visibility for fields containing sensitive information. 2. **Encrypt Sensitive Data**: Encrypt data before storing it, and store the encryption key separately in a protected custom setting or metadata field. 3. **Configure Permissions**: Properly configure permissions for fields with encrypted secrets to prevent unauthorized access. 4. **Avoid Encrypted Fields for Authentication**: Use named credentials or protected custom settings for authentication data instead of encrypted fields. 5. **Restrict Access**: Implement access controls to limit updates or modifications of sensitive data to specific profiles or permission sets. 6. **Use Apex Crypto for Encryption**: Use Apex Crypto calls for encryption and decryption, following enterprise security standards. 7. **Prevent Sensitive Data in Logs**: Avoid writing sensitive data to debug logs or exposing it through the user interface. These practices help protect sensitive data and ensure compliance with security standards.

Reasoning: The FAQ content is largely accurate and comprehensive, but needed minor improvements for clarity and tone. The main changes made were: (1) Changed 'are not exposed' to 'aren't exposed' for more conversational tone, (2) Changed 'adhering to' to 'following' for simpler language, and (3) Maintained all original content while making the language slightly more approachable per the brand guidelines. For security rules selected: ApexBadCrypto relates to point 6 about using proper Apex Crypto calls for encryption/decryption. ApexSuggestUsingNamedCred directly relates to point 4 about using named credentials for authentication data instead of other storage methods. AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, and AvoidHardcodedCredentialsInVarDecls all relate to the overall guidance about not storing sensitive data in unsafe ways and the emphasis on proper encryption and secure storage practices mentioned throughout the FAQ. ProtectSensitiveData relates to the entire FAQ's focus on protecting sensitive data through encryption, proper storage, access controls, and preventing exposure in logs.

Reasoning References

Current FAQ