FAQ-001280 - Open Redirect and Redirect Security / General Security Considerations

When working with URLs in callouts or redirects, consider the following security measures: 1. **Use HTTPS**: Ensure all callouts are made via HTTPS to secure communication. 2. **Validate Redirects**: Prevent open redirect vulnerabilities by validating redirect URLs. 3. **Whitelist URLs**: Only allow redirection to trusted, allowlisted URLs. 4. **Avoid Sensitive Data in URLs**: Don't pass sensitive information, like session IDs or credentials, in the URL using the GET method. 5. **Secure Third-Party Resources**: Ensure any dynamic resources loaded from third parties don't result in dynamic content and comply with security guidelines. These practices help maintain the security and integrity of your application.

I made minor wording improvements to enhance clarity and use more current terminology. Changed 'Do not pass' to 'Don't pass' for a more conversational tone, replaced 'whitelisted' with 'allowlisted' to use modern inclusive terminology, and changed 'do not result' to 'don't result' for consistency. These changes improve readability while maintaining all the original technical content and security guidance. For the related security rules: - ApexOpenRedirect directly relates to the FAQ's point about validating redirects to prevent open redirect vulnerabilities - ApexInsecureEndpoint connects to the HTTPS requirement and secure communication practices discussed - AvoidInsecureHttpRemoteSiteSetting and AvoidDisableProtocolSecurityRemoteSiteSetting relate to the HTTPS enforcement mentioned in point 1 - UseHttpsCallbackUrlConnectedApp aligns with the overall HTTPS usage requirement for secure communication - ApexSuggestUsingNamedCred relates to the secure handling of credentials mentioned in point 4 about avoiding sensitive data in URLs