FAQ-000791 - External Content and Iframe Security / Iframe Authentication and Secure Data Passing

To implement authenticated iframes without passing sensitive data in URLs: **Secure Storage and Authentication:** - Store sensitive information securely in protected custom metadata or settings instead of transmitting it through URLs or including it in the iframe's source URL - Use OAuth tokens or securely stored session IDs within the application to authenticate the iframe content - Implement session-based authentication or secure cookies to manage access **Secure Communication:** - Ensure all communication between the iframe and the parent application occurs over secure channels using HTTPS - Use server-side authentication mechanisms to validate the iframe's content - Implement server-side validation to ensure proper authentication and authorization **Token-Based Approaches:** - Use a secure token-based approach by generating a short-lived, signed token on the server side containing the necessary authentication details - Pass the token to the iframe through a secure mechanism, such as a POST request or by embedding it securely in the iframe's content - Use custom HTTP headers to pass authentication tokens or session information instead of the URL **Security Controls:** - Use Content Security Policy (CSP) headers to restrict the iframe's behavior and prevent unauthorized access - Ensure the iframe's source application enforces proper authentication and authorization checks - Validate and sanitize all user inputs - Use short-lived tokens and rotate them frequently to minimize the risk of misuse - Implement HttpOnly and Secure cookies for session management **Best Practices:** - Ensure the iframe's source and any third-party endpoints use HTTPS and meet security standards - Ensure the application hosted within the iframe adheres to security best practices - Implement a strong CSP to prevent unauthorized access or embedding of your iframe on malicious sites - Category: External Content and Iframe Security - Subcategory: Iframe Authentication and Secure Data Passing

The FAQ is well-structured and comprehensive, covering the essential aspects of secure iframe authentication. I made one minor clarification change: replaced 'comply with HTTPS' with 'use HTTPS' for better clarity and directness, following the brand guidelines to be more conversational and clear. For security rules selection: 1. **ApexInsecureEndpoint** - Directly relates to the FAQ's emphasis on 'Ensure all communication between the iframe and the parent application occurs over secure channels using HTTPS' and 'Ensure the iframe's source and any third-party endpoints use HTTPS and meet security standards'. This rule detects insecure HTTP endpoints. 2. **ApexCSRF** - Relates to the FAQ's discussion of 'Use server-side authentication mechanisms to validate the iframe's content' and 'Implement server-side validation to ensure proper authentication and authorization'. CSRF protection is crucial for iframe security. 3. **AvoidHardcodedCredentialsInHttpHeader** - Directly connects to the FAQ's guidance on 'Use custom HTTP headers to pass authentication tokens or session information instead of the URL' and the emphasis on avoiding hardcoded sensitive data. 4. **ApexSuggestUsingNamedCred** - Relates to the FAQ's recommendation to 'Store sensitive information securely in protected custom metadata or settings' and secure credential management practices. 5. **AvoidInsecureHttpRemoteSiteSetting** - Connects to the FAQ's emphasis on HTTPS communication and secure endpoints for iframe content. 6. **AvoidDisableProtocolSecurityRemoteSiteSetting** - Relates to maintaining secure communication protocols mentioned throughout the FAQ's security recommendations.