FAQ-000896 - External Platform Security / Third-Party Service Evaluation

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

Question: What considerations apply when applications involve third-party connectors and external hosting?

Answer: When applications involve third-party connectors and external hosting during the AppExchange Security Review, the following considerations apply: 1. **Endpoint Control**: The partner must have control over the external endpoint, including the ability to place a token in the web app root. This is essential for the review to proceed. 2. **Matchmaker Apps**: Applications that integrate with third-party endpoints without their consent to the review or commitment to address issues are not allowed. 3. **Staging and Production Testing**: Testing can be done on a staging version of the website if it is functionally equivalent to production. SSL scans are performed on the production version, but invalid certificates are allowed on staging. 4. **TLS Requirements**: TLS v1.2 or above is mandatory, and weak ciphers are not permitted. 5. **Exceptions for Uncontrolled Endpoints**: Exceptions may be granted for endpoints not controlled by the partner (e.g., Google, Slack, Twilio) if an action plan is provided. 6. **CORS and Cross-Domain Policies**: Wildcarded CORS or cross-domain.xml files are not allowed for non-public endpoints. Let me know if you need further details!

Enhancing FAQ...

Enhancing FAQ with AI recommendations...

Related Security Rules (click to view): ApexInsecureEndpoint AvoidDisableProtocolSecurityRemoteSiteSetting AvoidInsecureHttpRemoteSiteSetting ApexSuggestUsingNamedCred UseHttpsCallbackUrlConnectedApp

Question: What considerations apply when applications involve third-party connectors and external hosting?

Recommended Answer Update: When applications involve third-party connectors and external hosting during the AppExchange Security Review, the following considerations apply: 1. **Endpoint Control**: The partner must have control over the external endpoint, including the ability to place a token in the web app root. This is essential for the review to proceed. 2. **Matchmaker Apps**: Applications that integrate with third-party endpoints without their consent to the review or commitment to address issues aren't allowed. 3. **Staging and Production Testing**: Testing can be done on a staging version of the website if it's functionally equivalent to production. SSL scans are performed on the production version, but invalid certificates are allowed on staging. 4. **TLS Requirements**: TLS v1.2 or above is mandatory, and weak ciphers aren't permitted. 5. **Exceptions for Uncontrolled Endpoints**: Exceptions may be granted for endpoints not controlled by the partner (e.g., Google, Slack, Twilio) if an action plan is provided. 6. **CORS and Cross-Domain Policies**: Wildcarded CORS or cross-domain.xml files aren't allowed for non-public endpoints. Let me know if you need further details!

Reasoning: The FAQ content is accurate and comprehensive, requiring only minor language improvements to align with brand guidelines. I made these specific changes: (1) Changed 'are not allowed' to 'aren't allowed' to use contractions per brand guidelines, (2) Changed 'are not permitted' to 'aren't permitted' for consistency, and (3) Changed 'are not allowed' to 'aren't allowed' in the CORS section. Regarding security rules selection: ApexInsecureEndpoint relates directly to the FAQ's discussion of TLS requirements and secure endpoint connections. AvoidDisableProtocolSecurityRemoteSiteSetting and AvoidInsecureHttpRemoteSiteSetting both connect to the FAQ's emphasis on TLS v1.2+ requirements and secure endpoint configurations mentioned in points 4 and 6. ApexSuggestUsingNamedCred is relevant to the third-party connector integrations discussed throughout the FAQ, as it promotes secure credential management for external service connections. UseHttpsCallbackUrlConnectedApp applies to the external hosting and endpoint control requirements detailed in points 1 and 4.

Reasoning References

Current FAQ