FAQ-000830 - External Platform Security / External Dependencies and Libraries

To address external dependencies that cause security review failures for AppExchange: 1. **Demonstrate Control**: Ensure you have control over the external endpoint. This includes placing a token in the web app root to prove control. 2. **Compliance with Standards**: Make sure the endpoint complies with requirements like: - Using TLS v1.2 or above - Marking all session IDs as SECURE - Avoiding wildcarded CORS configurations for non-public endpoints 3. **Third-Party Managed Endpoints**: If the external endpoint is managed by a third party: - They must consent to the review - Agree to abide by Salesforce's Main Services Agreement - Commit to resolving all identified issues promptly If the endpoint isn't under your control and these steps can't be met, the review may be canceled.

The FAQ content was generally accurate and well-structured. I made minor improvements to enhance clarity and readability: removed the period after 'TLS v1.2 or above' for consistency with other bullet points, simplified 'cannot be met' to 'can't be met' for a more conversational tone per the brand guidelines, and changed 'is not under your control' to 'isn't under your control' for consistency. For related security rules, I selected five rules that directly relate to external endpoint security discussed in this FAQ: 1. ApexInsecureEndpoint - This rule detects insecure HTTP endpoints in Apex code, directly relating to the FAQ's discussion of ensuring external endpoints comply with security standards like TLS v1.2. 2. ApexSuggestUsingNamedCred - This rule recommends using Named Credentials for external callouts, which is relevant to the FAQ's focus on properly managing external dependencies and endpoints. 3. AvoidInsecureHttpRemoteSiteSetting - This rule flags insecure HTTP remote site settings, directly connecting to the FAQ's emphasis on using TLS v1.2 or above for external endpoints. 4. AvoidDisableProtocolSecurityRemoteSiteSetting - This rule prevents disabling protocol security in remote site settings, which aligns with the FAQ's requirement for endpoints to comply with security standards. 5. UseHttpsCallbackUrlConnectedApp - This rule ensures HTTPS is used for Connected App callback URLs, relating to the FAQ's discussion of external endpoint security compliance.