FAQ-000554 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
Are there alternatives to editable custom metadata for storing customer-specific configuration?
Answer
Yes, there are alternatives to editable custom metadata for storing customer-specific configuration: 1. **Protected Custom Settings**: These securely store sensitive data and can be accessed programmatically. However, they lack a built-in GUI for management, so you may need to create a custom UI for updates. 2. **Named Credentials**: Ideal for storing locally generated or per-org secrets. While administrators can view the data, they are suitable for non-sensitive configurations. 3. **Encrypted Custom Objects**: You can encrypt sensitive data and store it in custom objects, with the encryption key stored separately in protected custom settings or metadata. This requires careful permission management and encryption using Apex Crypto calls. Choose the option that best fits your use case, considering performance, security, and deployment needs.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexBadCryptoApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDecls
Question
Are there alternatives to editable custom metadata for storing customer-specific configuration?
Recommended Answer Update
Yes, there are alternatives to editable custom metadata for storing customer-specific configuration: 1. **Protected Custom Settings**: These securely store sensitive data and can be accessed programmatically. However, they lack a built-in GUI for management, so you may need to create a custom UI for updates. 2. **Named Credentials**: Ideal for storing authentication credentials and external system connection details. While administrators can view the data, they're suitable for non-sensitive configurations and provide better security than hardcoded credentials. 3. **Encrypted Custom Objects**: You can encrypt sensitive data and store it in custom objects, with the encryption key stored separately in protected custom settings or metadata. This requires careful permission management and proper encryption using Apex Crypto classes with strong algorithms. Choose the option that best fits your use case, considering performance, security, and deployment needs.
Reasoning
I made several targeted improvements to enhance clarity and security guidance: 1. Clarified Named Credentials description from 'locally generated or per-org secrets' to 'authentication credentials and external system connection details' to better reflect their primary purpose and added emphasis on their advantage over hardcoded credentials. 2. Enhanced the encryption guidance by changing 'Apex Crypto calls' to 'Apex Crypto classes with strong algorithms' to emphasize the importance of using proper cryptographic methods. These changes improve security awareness while preserving all original points and structure. For the selected security rules: - **ApexBadCrypto**: Directly relates to the FAQ's discussion of 'encryption using Apex Crypto calls' in option 3, ensuring developers use strong cryptographic algorithms - **ApexSuggestUsingNamedCred**: Connects to the FAQ's recommendation of Named Credentials as an alternative, promoting this secure credential storage pattern - **AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls**: All relate to the FAQ's discussion of storing 'customer-specific configuration' and the Named Credentials alternative, which helps avoid hardcoded credential violations across different code contexts
Reasoning References