FAQ-000774 - Error Handling and Logging Security / Managed Package Error Handling

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security best practices for custom error handling and logging in managed packages?
Answer
For custom error handling and logging in managed packages, here are the security best practices: 1. **Avoid Logging Sensitive Information**: Do not log user credentials, encryption keys, or personally identifiable information (PII). 2. **Use Enhanced Event Logs**: Capture agent session events using enhanced event logs instead of directly logging prompts or responses. 3. **Secure Log Access**: Ensure logs are accessible only to authorized personnel and stored securely. 4. **Validate and Sanitize Data**: Always validate and sanitize data before processing to prevent vulnerabilities like injection attacks. 5. **Meaningful Error Messages**: Provide error messages that are helpful to users but do not expose internal system details. 6. **Output Encoding**: Ensure error messages are appropriately output-encoded for the user interface framework in use. These practices help protect sensitive data and maintain system security.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexSOQLInjectionApexXSSFromEscapeFalseApexXSSFromURLParamVfUnescapeElProtectSensitiveData
Question
What are the security best practices for custom error handling and logging in managed packages?
Recommended Answer Update
For custom error handling and logging in managed packages, here are the security best practices: 1. **Avoid Logging Sensitive Information**: Don't log user credentials, encryption keys, or personally identifiable information (PII). 2. **Use Enhanced Event Logs**: Capture agent session events using enhanced event logs instead of directly logging prompts or responses. 3. **Secure Log Access**: Ensure logs are accessible only to authorized personnel and stored securely. 4. **Validate and Sanitize Data**: Always validate and sanitize data before processing to prevent vulnerabilities like injection attacks. 5. **Meaningful Error Messages**: Provide error messages that are helpful to users but don't expose internal system details. 6. **Output Encoding**: Ensure error messages are appropriately output-encoded for the user interface framework in use. These practices help protect sensitive data and maintain system security.
Reasoning
The FAQ content is accurate and comprehensive, covering essential security practices for error handling and logging. I made minor wording improvements for clarity and a more conversational tone: changed 'Do not log' to 'Don't log' and 'do not expose' to 'don't expose' to follow the brand guidelines for using contractions. The security practices outlined align well with AppExchange security requirements. The selected security rules are highly relevant to this FAQ's content: - ApexSOQLInjection: Directly relates to point 4 about validating and sanitizing data to prevent injection attacks, as SOQL injection is a primary concern when handling user input in error scenarios. - ApexXSSFromEscapeFalse and ApexXSSFromURLParam: Both relate to point 6 about output encoding error messages, as these rules detect XSS vulnerabilities from improperly escaped output and URL parameters respectively. - VfUnescapeEl: Also connects to point 6 regarding output encoding, specifically for Visualforce pages where unescaped expressions can lead to XSS vulnerabilities in error message display. - ProtectSensitiveData: Directly aligns with point 1 about avoiding logging sensitive information like credentials, encryption keys, and PII, which is exactly what this rule is designed to detect.
Reasoning References