FAQ-001052 - Hybrid Application Security / Authentication and Data Transfer Security

To securely manage authentication and data transfer between your Salesforce package and an external application server: 1. **Authentication**: Use OAuth as the preferred authentication mechanism. Request only the least privilege permissions necessary for your use case. Avoid storing Salesforce usernames and passwords, and don't allow apps to make arbitrary API calls on behalf of the user. 2. **Secure Data Transfer**: Use HTTPS for all connections and ensure compliance with certificate and SSL configuration requirements. Avoid insecure protocols like HTTP or FTP. If variable endpoints are required, enforce HTTPS and provide a valid business case. 3. **Sensitive Information**: Don't log sensitive information such as cryptographic secrets, API credentials, or passwords in debug logs. 4. **Enterprise Standards**: Ensure all data transfers and authentication processes comply with enterprise security standards to protect against vulnerabilities. Let me know if you need further clarification!

The FAQ content is generally accurate and well-structured, but includes some minor wording improvements to align with the brand and tone guidelines. The changes made are: 1) Replaced 'Do not allow' with 'don't allow' to be more conversational, 2) Replaced 'Do not log' with 'Don't log' for consistency with conversational tone. No outdated content was detected. Regarding security rules selected: - ApexInsecureEndpoint: Directly relates to the FAQ's guidance on "Use HTTPS for all connections" and avoiding insecure protocols - ApexSuggestUsingNamedCred: Connects to authentication best practices mentioned in the FAQ - ApexBadCrypto: Relates to the FAQ's emphasis on protecting "cryptographic secrets" - AvoidHardcodedCredentials rules (FieldDecls, VarDecls, VarAssign, HttpHeader): All relate to the FAQ's guidance on "Avoid storing Salesforce usernames and passwords" and not logging "API credentials" - AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting: Both connect to the FAQ's requirement to "Use HTTPS for all connections" and avoid insecure protocols - UseHttpsCallbackUrlConnectedApp: Relates to the OAuth authentication guidance and HTTPS requirements - ProtectSensitiveData: Directly connects to the FAQ's guidance on not logging "sensitive information such as cryptographic secrets, API credentials, or passwords"