Setting up a Remote Site is a straightforward Setup task, but doing it well requires thinking about security, environment differences, and the broader integration architecture. The workflow below covers the standard sequence for adding a new external endpoint that Apex needs to call.
- Identify the endpoint and confirm HTTPS
Document the external endpoint Apex needs to call: the full URL including scheme, host, and port. Confirm the endpoint supports HTTPS. If only HTTP is available, decide whether to enable Disable Protocol Security (rare) or to stand up a TLS-terminating proxy (preferred). Capture the business purpose and the integration owner for the documentation.
- Add the Remote Site in Setup
From Setup, search for Remote Site Settings and click New Remote Site. Provide a descriptive name (no spaces), the full Remote Site URL, a description explaining the business purpose. Leave Disable Protocol Security unchecked unless absolutely necessary. Set the Active checkbox to true. Save. The new Remote Site appears in the list and is immediately effective for Apex callouts.
- Write the Apex callout code
In Apex, construct an HttpRequest with the target URL, set the method (GET, POST, PUT, DELETE), set any required headers, and send through Http.send(). Handle the response: parse the body, check the status code, handle errors gracefully. Cover the code with unit tests using HttpCalloutMock to simulate the external service. Run the tests in sandbox to confirm the callout works as expected.
- Promote across environments and document
Add equivalent Remote Site entries in each environment (UAT sandbox, production) with the appropriate URL for that environment. Promote the Apex code through the standard deployment pipeline. Document the integration in the org's integration runbook: the Remote Site, the Apex class, the external service, the business owner, the error-handling strategy. Schedule a periodic review of the entry to confirm it stays valid as the external service evolves.
Descriptive name (no spaces) identifying the external service the Remote Site allows callouts to.
The full URL including scheme, host, and port that the Remote Site authorizes.
Must be checked for the Remote Site to be effective. Inactive entries do not allow callouts.
Required to create and edit Remote Site Settings in Setup.
The Apex class that issues HttpRequest objects against the registered URL.
- Each subdomain requires its own Remote Site entry. There is no wildcard support for hosts.
- Disable Protocol Security exposes data in transit. Use it only when absolutely necessary and document why.
- Remote Site URL is hardcoded. Environment-specific endpoints require Custom Settings or Custom Metadata Types to hold the URL value.
- Stale entries represent attack surface. Audit quarterly to confirm each entry still serves its purpose.
- Named Credentials are preferred for any callout that needs authentication. Remote Site Settings is best for unauthenticated callouts.