What is Remote Site Settings in Salesforce?

Posted by Vinay Vernekar 30th November 2025

What is Remote Site Settings?

Remote Site Settings in Salesforce is a security feature that allows administrators to whitelist external endpoints so that Apex code and integrations can make callouts to those external web services. By adding a remote site, you explicitly tell Salesforce which external URLs are trusted for outbound HTTP/HTTPS requests.

Why Remote Site Settings matter

Salesforce runs in a secure, multi-tenant environment. To prevent unauthorized outbound requests, Salesforce blocks callouts to unknown external endpoints by default. Adding a Remote Site Setting is a required step when you perform Apex callouts to third-party APIs or external services (unless you use alternatives such as Named Credentials).

When to use Remote Site Settings

Use Remote Site Settings when:

  • You write Apex that performs HTTP callouts to external REST or SOAP APIs.
  • You configure certain integrations that require direct HTTP access from Salesforce.
  • You are not using Named Credentials (recommended alternative) or a proxy that handles authentication.

How to configure Remote Site Settings

Steps to add a Remote Site in Salesforce:

  1. Navigate to Setup > Quick Find > Remote Site Settings.
  2. Click New Remote Site.
  3. Enter a descriptive Remote Site Name and the Remote Site URL (e.g., https://api.example.com).
  4. Add an optional description and ensure the setting is Active.
  5. Save the record.

Sample Apex callout (requires Remote Site Setting)

HttpRequest req = new HttpRequest();
req.setEndpoint('https://api.example.com/v1/data');
req.setMethod('GET');

Http http = new Http();
HTTPResponse res = http.send(req);
System.debug(res.getBody());

Before this code succeeds, add https://api.example.com to Remote Site Settings (or use a Named Credential which avoids hard-coding endpoints).

Best practices and security considerations

  • Prefer Named Credentials over Remote Site Settings because Named Credentials centralize authentication and simplify endpoint management.
  • Keep Remote Site entries as specific as possible (avoid wildcard domains) to reduce attack surface.
  • Use HTTPS endpoints to ensure data in transit is encrypted.
  • Document each Remote Site entry with purpose and owner for easier audits.

Limitations

Remote Site Settings only whitelist endpoints for Apex callouts and some integrations. They are not a substitute for CORS or Content Security Policy (CSP) Trusted Sites needed for client-side/browser requests (Lightning components, Visualforce with JS, etc.).

Quick comparison: Remote Site Settings vs Named Credentials

Remote Site Settings:

  • Whitelist endpoints only.
  • Do not manage authentication — code must handle credentials or tokens.

Named Credentials:

  • Provide endpoint plus authentication configuration (OAuth, basic auth, etc.).
  • Allow direct use in Apex via the Named Credential URL without embedding credentials in code.

Keywords: Remote Site Settings Salesforce, Salesforce Remote Site Settings, Apex callout remote site, Named Credentials.