FAQ-000904 - External Service OAuth Security Review / OAuth Scan Results and Complex Authentication

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
How can I provide web application scan results for an external API that requires OAuth or another complex authentication scheme?
Answer
To provide web application scan results for an external API that requires OAuth or another complex authentication scheme for the AppExchange Security Review: 1. Submit the scan reports for the external API. 2. Include the authentication credentials required for accessing the API. 3. If available, provide the API documentation. 4. Ensure the external endpoint is within your control and complies with necessary security requirements. Let me know if you need more details!

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexSuggestUsingNamedCredAvoidHardcodedCredentialsInFieldDeclsAvoidHardcodedCredentialsInVarAssignAvoidHardcodedCredentialsInVarDeclsAvoidHardcodedCredentialsInHttpHeader
Question
How can I provide web application scan results for an external API that requires OAuth or another complex authentication scheme?
Recommended Answer Update
To provide web application scan results for an external API that requires OAuth or another complex authentication scheme for the AppExchange Security Review: 1. Submit the scan reports for the external API. 2. Include authentication credentials required for accessing the API. Use Named Credentials to store these securely rather than hardcoding them in your application. 3. If available, provide the API documentation. 4. Ensure the external endpoint is within your control and complies with necessary security requirements. Let me know if you need more details!
Reasoning
The main issue with this FAQ is that step 2 mentions including authentication credentials without emphasizing secure credential management practices. While the existing content is accurate, it could inadvertently encourage insecure practices like hardcoding credentials. The recommended update adds guidance to use Named Credentials for secure credential storage, which aligns with Salesforce security best practices. This addition clarifies HOW to properly handle credentials without removing any existing information. Regarding the selected security rules: - ApexSuggestUsingNamedCred: Directly relates to the FAQ's mention of "authentication credentials required for accessing the API" - this rule recommends using Named Credentials instead of hardcoded credentials for external API calls - AvoidHardcodedCredentialsInFieldDecls: Relates to the credential management aspect discussed in step 2, as developers might store API credentials in field declarations - AvoidHardcodedCredentialsInVarAssign: Connects to step 2's authentication credentials, as developers might assign API credentials to variables - AvoidHardcodedCredentialsInVarDecls: Applies to the authentication scheme credentials mentioned in the FAQ, as these might be declared as hardcoded variables - AvoidHardcodedCredentialsInHttpHeader: Directly relevant to the OAuth and complex authentication schemes mentioned in the question, as these often involve HTTP headers with credentials
Reasoning References