Salesforce B2C Commerce 24.5 > B2C Commerce Security Guide > Security Best Practices for Developers

Secret Storage

⚠️ The annual cost of maintaining the server where this website is hosted, the domain, and keeping it up-to-date is approximately €3,000 per year. Help us with a small donation to cover these expenses. Support Now!

0 / 10000 €

Storing and using secrets is one of the most sensitive actions taken by a developer to ensure the security of shopper information. A secret can be, and is not limited to, the following items.

  • Credentials used to authenticate to remote services, such as username and password, API tokens, access tokens, and session IDs.
  • Secret keys used to encrypt or decrypt sensitive data, such as private or symmetric keys.

You can help prevent data exposure in a number of ways. First, make sure that sensitive data in forms isn’t logged or otherwise stored unless it’s absolutely necessary. Data that isn’t retained can’t be stolen. If you must store sensitive data, discard it as soon as possible and make sure that it’s encrypted. For credit card data, make sure that you use PCI DSS compliant tokenization or truncation.

You can use the following APIs to store secrets securely on Salesforce B2C Commerce.

  • Service credentials
  • Private keys
  • Custom object attributes

Service Credentials

For each web service, the framework requires a service configuration, service profile configuration, and service credential configuration. You can create and manage these configurations in Business Manager.

Service credentials are accessible in B2C Commerce API as the dw.svc.ServiceCredential object. They are read-only and should never be returned to a storefront request or written into any logs.

Private Keys

Cryptographic keys and certificates are pivotal resources for encryption and decryption, authentication, signatures, and more. Manage these keys and certificates by using the dedicated Business Manager wizard. They are accessible in the script API using the CertificateRef and KeyRef classes.

Custom Object Attribute

You can extend the B2C Commerce object model by using custom objects. You can customize custom attributes, their respective fields, and properties of the custom object type.

Use type PASSWORD with any custom object attribute that handles secret information.

Related concepts
Web Services
Custom Objects
Related information
Class ServiceConfig
Class CertificateRef
Class KeyRef
Class ServiceCredential
Trailhead: Salesforce B2C Commerce for Developers

Infocenter Retirement: On June 30, 2023, the Infocenter was retired, and documentation currently hosted on the Infocenter will be published to Salesforce Help, Commerce Cloud Developer Center, and Salesforce B2C Commerce Developer Documentation Resources. For more information, see the release note.