The main improvement needed was updating the authentication guidance from 'OAuth for authentication' to 'OAuth or Named Credentials for authentication.' This change aligns with modern Salesforce security best practices where Named Credentials are the preferred method for external system authentication as they provide better security, credential management, and compliance with AppExchange requirements.
The security rules selected are all related to the FAQ's content about external JavaScript and authentication:
- AvoidApiSessionId: Directly relates to the FAQ's guidance about 'avoiding the use of session IDs for external API calls' - this rule prevents using API session IDs inappropriately
- AvoidUnauthorizedApiSessionIdInApex: Relates to the session ID avoidance guidance mentioned in the FAQ, specifically for Apex code
- AvoidUnauthorizedApiSessionIdInVisualforce: Relates to the session ID avoidance guidance, specifically for Visualforce pages which are mentioned in the FAQ's iframe recommendation
- AvoidUnauthorizedGetSessionIdInApex: Relates to preventing unauthorized session ID retrieval in Apex, supporting the FAQ's session ID security guidance
- AvoidUnauthorizedGetSessionIdInVisualforce: Relates to preventing unauthorized session ID retrieval in Visualforce, relevant to the FAQ's Visualforce and security recommendations
- ApexSuggestUsingNamedCred: Directly supports the updated authentication recommendation to use Named Credentials, which is why this rule was added to reinforce proper authentication methods for external calls