We have a web application developed in Salesforce (apex classes/ triggers and visualforce pages). This web application is talking to our APIs externally using endpoint urls with username and password. As of right now these password/username and endpoint url are being stored in apex classes as constant strings.
In an ASP.Net application or we would usually store the credential/endpoint url in a web.config file. But in Salesforce where do we store these?
You should use either a protected Custom Setting in managed package (you would have to create this similar to creating an object, I would use the List type and try to make it as generic as possible to support many use cases) or Named Credentials, or possibly a Custom Metadata type, definitely not in code