FAQ-000840 - External Platform Security / External Platform Hosting and AWS

The security review requirements for parts of your application hosted on an external platform like AWS include: 1. **Testing External Endpoints**: Test all external endpoints that are part of your solution to ensure secure data transfer and authentication, especially those handling Salesforce data or user authentication. 2. **Security Scans**: Use automated security scanning tools on external endpoints, document false positives, and fix vulnerabilities that don't meet Salesforce security guidelines. 3. **Control Over Endpoints**: You must have control over external endpoints, including the ability to place a token in the web app root for testing. If you don't control the endpoint, the review can't proceed. 4. **HTTPS for External Communication**: Ensure all external endpoints and callback URLs use HTTPS for secure communication. 5. **Staging Environments**: Testing can be done on staging environments if they're functionally equivalent to production. SSL scans will be performed on the production version, and invalid certificates are allowed only on staging. 6. **Compliance with Security Standards**: The external platform must use TLS v1.2 or above, mark session IDs as secure, and avoid wildcarded CORS configurations for non-public endpoints. 7. **Documentation**: Provide all necessary documentation, including security scan reports, and ensure the external platform adheres to Salesforce's security standards. These steps help protect customer data and ensure the security of your application.

The main improvements made were: 1) Simplified 'the review cannot proceed' to 'the review can't proceed' for more conversational tone, 2) Broadened point 4 from just 'callback URLs' to 'external endpoints and callback URLs' to better reflect the comprehensive HTTPS requirement for external platform communication, and 3) Changed 'they are functionally equivalent' to 'they're functionally equivalent' to use contractions as specified in the guidelines. For security rules: ApexInsecureEndpoint relates to the FAQ's emphasis on testing external endpoints for secure communication and avoiding insecure HTTP connections. AvoidInsecureHttpRemoteSiteSetting connects to the requirement for HTTPS communication with external platforms. AvoidDisableProtocolSecurityRemoteSiteSetting aligns with the compliance requirement that external platforms use proper security protocols like TLS v1.2+. UseHttpsCallbackUrlConnectedApp directly relates to the FAQ's requirement that 'all callback URLs use HTTPS for secure communication.'