FAQ-000789 - External Content and Iframe Security / External Service Integration Security

When consuming external services in Salesforce applications, the following security considerations apply: **Data Transfer and Authentication:** - Test external endpoints to ensure secure data transfer and authentication processes - Ensure secure transfer of Salesforce credentials and data - Store sensitive information, such as secrets, securely (e.g., in protected custom metadata or Named Credentials) **Security Scanning and Documentation:** - Use automated security scanning tools to identify vulnerabilities and document any false positives - Include security scan reports with explanations for any false positives - Provide detailed user documentation and your company's information security policies **Access and Permissions:** - Obtain necessary permissions for testing external endpoints and follow Salesforce's guidelines for allowed IP addresses and domains - Provide access to all environments, packages, and external components your solution uses, including external web applications or services, client or mobile applications, and all Apex and Visualforce included in your solution **Security Implementation:** - Properly implement Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) checks - Escape tainted inputs to prevent vulnerabilities like cross-site scripting (XSS) - Ensure your submission is a Managed—Released package, as unmanaged or beta packages are not accepted These practices help ensure secure integration with external services and compliance with AppExchange Security Review requirements.

The main improvement needed is adding 'Named Credentials' as a secure storage option alongside protected custom metadata. Named Credentials are Salesforce's recommended approach for securely storing external service credentials, and this aligns with the ApexSuggestUsingNamedCred rule that specifically recommends using Named Credentials for external service authentication. The security rules selected relate directly to the FAQ content as follows: - ApexInsecureEndpoint: Relates to the FAQ's emphasis on testing external endpoints for secure data transfer - ApexSuggestUsingNamedCred: Directly applies to the FAQ's guidance on storing sensitive information securely - Named Credentials are the recommended approach - AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInHttpHeader, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInVarDecls: All relate to the FAQ's guidance on secure storage of sensitive information and credentials - AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting: Apply to the FAQ's guidance on secure data transfer with external services - ApexCRUDViolation: Directly matches the FAQ's mention of implementing CRUD checks - ApexXSSFromEscapeFalse and ApexXSSFromURLParam: Relate to the FAQ's guidance on escaping tainted inputs to prevent XSS vulnerabilities