FAQ-000568 - Custom Settings and Configuration Security / Uncategorized

Protected custom settings should be used instead of encrypted custom object fields when you need to securely store sensitive data, like authentication credentials, in a way that prevents direct access through the user interface or API. They're ideal for managing secrets such as client IDs, client secrets, or encryption keys because they lack built-in GUI interfaces and require custom code for updates, ensuring controlled access. Encrypted custom object fields, while secure, aren't recommended for storing authentication data unless the encryption key is stored separately in a protected custom setting or named credential.

The main improvement needed is making the language more conversational and direct following the brand and tone guidelines. Changed 'are not' to 'aren't' to use contractions, and improved the flow to be more natural and readable. The technical content is accurate and aligns with security best practices. I selected these security rules because they directly relate to the FAQ's content about secure credential storage: 1. ApexSuggestUsingNamedCred - The FAQ discusses storing authentication credentials and mentions named credentials as a secure alternative to encrypted custom object fields, which directly relates to this rule's purpose of suggesting named credentials for external authentication. 2. AvoidHardcodedCredentialsInFieldDecls - The FAQ discusses proper storage of "client IDs, client secrets, or encryption keys" in protected custom settings instead of less secure alternatives, which relates to this rule's focus on avoiding hardcoded credentials in field declarations. 3. AvoidHardcodedCredentialsInVarDecls - Similar to above, the FAQ's guidance on secure credential storage in protected custom settings relates to avoiding hardcoded credentials in variable declarations. 4. AvoidHardcodedCredentialsInVarAssign - The FAQ's recommendation to use protected custom settings for "authentication credentials" relates to this rule's focus on avoiding hardcoded credentials in variable assignments. 5. ProtectSensitiveData - The FAQ's entire focus is on protecting "sensitive data, like authentication credentials" through proper storage mechanisms, which directly aligns with this rule's purpose of protecting sensitive information.