+ Start a Discussion

Regarding the custom settings in managed package



We have developed a managed package for App Exchange but kept the custom settings as public so that admin can have access to it. We are storing the api keys in the custom settings but no username or passwords. will it amount as threat in security review.


Aprreciate the help here.





Yes  - There is a whole section on security.force.com that talks about how to handle this: http://wiki.developerforce.com/page/Secure_Coding_Storing_Secrets


I recommend using a protected custom setting and having your managed code insert/update the data in the custom setting.