FAQ-000908 - External Service Security Testing / Authentication and Access Configuration

If you need to conduct a security scan on an external API endpoint that requires authentication you don't have access to, you'll need to work with the owner of the API to obtain the necessary credentials or permissions. Without access to the required authentication, it's not possible to perform a valid security scan. When you do receive credentials, use Salesforce Named Credentials to securely store authentication information rather than hardcoding credentials in your code. For further assistance or specific guidance, consider opening a case with Salesforce.

The original FAQ answer is accurate but can be improved for clarity and security best practices. I made the following refinements: 1) Changed 'you will need' to 'you'll need' for a more conversational tone per the brand guidelines. 2) Changed 'it is not possible' to 'it's not possible' using contractions as specified. 3) Added guidance about using Named Credentials when credentials are obtained, which is a crucial security best practice that directly relates to this scenario. This addition doesn't expand the scope but provides actionable security guidance for the natural next step. The related security rules I selected all deal with secure credential management: ApexSuggestUsingNamedCred directly recommends using Named Credentials for external API authentication (exactly what this FAQ discusses), AvoidHardcodedCredentialsInHttpHeader prevents storing API keys/tokens in HTTP headers, AvoidHardcodedCredentialsInFieldDecls prevents storing credentials as hardcoded field values, AvoidHardcodedCredentialsInVarAssign prevents assigning hardcoded credentials to variables, and AvoidHardcodedCredentialsInVarDecls prevents declaring variables with hardcoded credentials. All of these rules relate to the FAQ's core topic of handling authentication credentials for external API endpoints.