FAQ-000777 - External Authentication and Integration Security / API Integration Authentication

For secure external API authentication in applications and managed packages, follow these comprehensive best practices: 1. **Use OAuth**: OAuth is the preferred and recommended method for third-party integrations with Salesforce. It ensures least privilege permissions, allowing the app to access only the data and actions explicitly authorized by the user. 2. **Secure Storage**: Store authentication data (e.g., API keys, tokens) in protected custom metadata, custom settings, or named credentials. Avoid public storage and encrypt data using strong encryption (avoid weak algorithms like DES). Store encryption keys securely and separately. 3. **Prevent Credential Exposure**: - Avoid storing API keys or credentials in client-side applications - Don't hardcode sensitive information like API keys in your codebase - Ensure secrets aren't written to logs or exposed in debug statements - Protect debug logs from exposing sensitive information such as API credentials or tokens 4. **Secure Data Transmission**: All endpoints must use HTTPS to secure data transmission and meet SSL/TLS configuration requirements. Ensure proper certificate and SSL configurations. 5. **Access Controls and Permissions**: - Implement proper flow execution context, CRUD, field-level security (FLS), and record-level access checks - Apply the principle of least privilege by defining OAuth scopes that only request necessary permissions - Use permission sets to validate user permissions and restrict access to sensitive operations or data 6. **User Verification**: For sensitive operations, enforce user verification methods like one-time passwords or private user-identifiable attributes to confirm identity. 7. **Input/Output Security**: Implement input validation and output encoding to prevent injection attacks and other vulnerabilities. Ensure dynamic resources are securely loaded and don't result in unintended dynamic content. 8. **Leverage Vendor Libraries**: Use vendor-provided libraries for encryption and authentication instead of creating custom cryptography. 9. **Authentication and Authorization**: Authenticate all requests, especially those involving privileged actions or sensitive data. 10. **Comprehensive Testing**: Test the entire solution, including external endpoints, to ensure compliance with security guidelines. 11. **Documentation and Compliance**: Document and disclose the permissions and sensitive data your application processes to ensure transparency and compliance. Provide clear documentation for the authentication process. 12. **Regular Reviews**: Periodically review and update your implementation to address new vulnerabilities or best practices. By following these principles, you can implement secure custom authentication approaches for multi-endpoint API integrations and connector applications.

The FAQ provides solid security guidance but contained one outdated cryptographic reference that needed updating. The original text mentioned 'AES-128 or higher encryption' which was refined to 'strong encryption (avoid weak algorithms like DES)' to align with current security scanner rules that flag weak cryptographic algorithms. All related security rules were selected based on their direct relevance to the technical content: ApexBadCrypto relates to the encryption guidance and avoiding weak cryptographic algorithms; ApexCRUDViolation and ApexSharingViolations relate to the access controls and permissions section covering CRUD and FLS checks; ApexInsecureEndpoint relates to the HTTPS/secure transmission requirements; ApexSuggestUsingNamedCred directly supports the named credentials storage recommendation; the AvoidHardcodedCredentials* rules (FieldDecls, HttpHeader, VarAssign, VarDecls) all relate to the credential exposure prevention guidance about not hardcoding sensitive information; AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting relate to the secure data transmission requirements for HTTPS endpoints and proper SSL/TLS configurations.