FAQ-001561 - Public Data Access Security / Public URL Security Requirements

The level of mitigation required for data accessible via public URLs depends on the sensitivity of the data and the associated risks. Public URLs should not expose sensitive or private data. If sensitive data is accessible, it must be protected using proper authentication, authorization, and encryption mechanisms. Additionally, ensure public URLs don't allow unauthorized access to nonpublic data or operations. Security measures like token-based access, IP whitelisting, and rate limiting should be implemented to mitigate risks.

Made a minor improvement by changing 'do not' to the more conversational contraction 'don't' to align with the brand guidelines that encourage using contractions for a more natural, conversational tone. This small change makes the text more approachable while maintaining all technical accuracy and completeness. Regarding the security rules selected: - ApexInsecureEndpoint: This rule directly relates to the FAQ's discussion of public URLs and ensuring they don't expose sensitive data inappropriately. The FAQ mentions protecting data accessible via public URLs, which is exactly what this rule addresses. - ApexCSRF: Token-based access mentioned in the FAQ relates to CSRF protection mechanisms that this rule would detect violations of. The FAQ specifically mentions 'token-based access' as a security measure. - ApexCRUDViolation: The FAQ discusses ensuring 'proper authorization' for sensitive data access, which includes CRUD permissions that this rule validates. The authorization mechanisms mentioned would include CRUD checks. - ApexSharingViolations: The FAQ's emphasis on preventing 'unauthorized access to nonpublic data' directly relates to sharing rule violations this rule detects. The concept of nonpublic data access is core to sharing violations. - ApexBadCrypto: The FAQ mentions 'encryption mechanisms' as required protection, and this rule would flag improper cryptographic implementations. The encryption requirement in the FAQ directly correlates to proper crypto usage. - VfCsrf: For Visualforce-based public URLs, CSRF protection (mentioned as token-based access in the FAQ) would be validated by this rule. The token-based access security measure applies to Visualforce contexts as well.