FAQ-000799 - External Content and Iframe Security / Security Review Testing and Documentation

For external resources and content embedding in AppExchange Security Reviews, the following documentation is required: **For External Resources That Cannot Be Hosted as Static Resources:** - Detailed explanation of why the resource cannot be hosted as a static resource - Evidence that the resource is served over a secure connection (HTTPS required) - Details about the hosting provider, including their security certifications or compliance with industry standards - Description of measures taken to ensure the resource's integrity and authenticity, such as versioning or checksums - Any additional security assessments or audits conducted on the resource to verify its safety **For Content Embedding Features:** - Detailed solution documentation - Security scan reports with explanations of any false positives identified during testing - Access to all external components, including URLs and login credentials for authentication - Compliance documentation with secure coding practices **Security Review Testing Process:** - The AppExchange security review team permits embedding external content via iframes if the use case is acceptable - The external endpoint must be within scope, and the partner must have control over it - The review ensures compliance with security requirements, such as marking session IDs as secure and using TLS v1.2 or above - Wildcarded CORS or cross-domain.xml files are not allowed for non-public endpoints All documentation should be included in the security review process and uploaded through the security review wizard in the AppExchange Partner Console.

The content is generally accurate and well-structured. I made a minor clarification by changing 'such as HTTPS' to 'HTTPS required' to emphasize that HTTPS is mandatory, not optional, which aligns with security best practices. All other content remains unchanged as it accurately reflects security requirements. The selected security rules directly relate to the FAQ content: ApexInsecureEndpoint and AvoidInsecureHttpRemoteSiteSetting relate to the requirement for secure HTTPS connections mentioned in the FAQ. AvoidDisableProtocolSecurityRemoteSiteSetting relates to the protocol security requirements discussed. LoadJavaScriptHtmlScript, LoadJavaScriptIncludeScript, LoadCSSLinkHref, and LoadCSSApexStylesheet all relate to external resource loading which is the core topic of this FAQ about external resources and content embedding documentation requirements.