Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            External Client App Settings: REST API Secret Masking Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            External Client App Settings: REST API Secret Masking Control

            This security setting blocks the ability to query or retrieve sensitive plaintext OAuth consumer secrets through programmatic REST API calls.

            Control Name

            External Client App Settings: REST API Secret Masking

            Recommended Configuration

            Allow access to External Client App consumer secrets via REST API - Off.

            Control Overview

            This security setting blocks the ability to query or retrieve sensitive plaintext OAuth consumer secrets through programmatic REST API calls.

            Security Risk If Not Configured

            When this access is enabled, any authenticated user or application with sufficient API permissions can programmatically extract these high-value credentials, leading to the potential mass exposure of authentication secrets.

            Threat Scenarios

            An attacker compromises a user account with administrative or developer permissions and runs a script to harvest all consumer secrets via the REST API to gain persistent, unauthorized access to integrated systems.

            Risk Impact Considerations

            The exposure of these secrets allows an unauthorized actor to bypass standard login protocols and impersonate a trusted external application, leading to a complete compromise of the data shared between systems.

            Higher Risk When

            Your org uses many third-party integration tools that have broad access to the REST API, as a single compromised integration could lead to the theft of all other application secrets.

            Low Risk When

            If you have implemented strict IP address restrictions for all API access and use short-lived session tokens that limit the window of opportunity for an attacker to run extraction scripts.

            Business and Integration Considerations

            Disabling this access prevents custom administrative tools or automated monitoring scripts from programmatically verifying or auditing the consumer secrets used by your external applications.

            Recommended Remediation

            Go to the External Client Apps settings in Setup and make sure the toggle for allowing access to consumer secrets via the REST API is set to off.

            Security Health Review Guidance

            Security Health Review identifies the restriction of secret access via the REST API as a mandatory architectural standard to make sure that sensitive credentials remain encrypted and accessible only through the secure Salesforce user interface.

            See Also

             
            Loading
            Salesforce Help | Article