Can exceptions be made for creating Remote Site Settings if the functionality is restricted to System Administrators, and how should admin-only functionality be handled in security review?
Answer
No, exceptions cannot be made for creating Remote Site Settings, even if the functionality is restricted to System Administrators. This action is explicitly disallowed in the AppExchange Security Review and requires the use of a connected app for such changes. However, admin-only functionality involving dynamic remote site creation must follow strict security guidelines during the review process: 1. **Use Named Credentials**: Manage remote site settings securely with Named Credentials to avoid hardcoding sensitive information and ensure better access control. 2. **Document Thoroughly**: Provide detailed documentation and justification for any dynamic operations, including the use case and implemented security measures. 3. **Address Concerns**: If there are specific concerns or exceptions, include them in a detailed false positive document or raise a case for further clarification.
Can exceptions be made for creating Remote Site Settings if the functionality is restricted to System Administrators, and how should admin-only functionality be handled in security review?
Recommended Answer Update
No, exceptions cannot be made for creating Remote Site Settings, even if the functionality is restricted to System Administrators. This action is explicitly disallowed in the AppExchange Security Review and requires the use of a connected app for such changes. However, admin-only functionality involving dynamic remote site creation must follow strict security guidelines during the review process: 1. **Use Named Credentials**: Manage remote site settings securely with Named Credentials to avoid hardcoding sensitive information and ensure better access control. 2. **Document Thoroughly**: Provide detailed documentation and justification for any dynamic operations, including the use case and implemented security measures. 3. **Address Concerns**: If there are specific concerns or exceptions, include them in a detailed false positive document or raise a case for further clarification.
Reasoning
The FAQ content is accurate and well-structured, addressing the core question about Remote Site Settings exceptions clearly. No major changes were needed as the content already follows security best practices and provides actionable guidance. The three related security rules are directly relevant: ApexSuggestUsingNamedCred relates to the FAQ's recommendation to 'Use Named Credentials' for managing remote site settings securely, which is mentioned in point 1 of the answer. AvoidDisableProtocolSecurityRemoteSiteSetting and AvoidInsecureHttpRemoteSiteSetting both relate to the FAQ's discussion of Remote Site Settings security requirements and the need for strict security guidelines when dealing with dynamic remote site creation, as mentioned throughout the answer.