Definition
Remote Site Settings is a Setup page where administrators register external URLs that Salesforce Apex code is allowed to call. Before Apex can make an HTTP callout to an external endpoint, the endpoint's domain must be added as a Remote Site. This allowlist prevents unauthorized outbound connections from the platform.
Real-World Example
A developer at OrbitTech writes an Apex class that calls an external weather API. When she tests it, the callout fails with a "Unauthorized endpoint" error. She navigates to Remote Site Settings, adds "https://api.weatherservice.com" as a trusted remote site, and the callout works on the next test.
Why Remote Site Settings Matters
Remote Site Settings is a Setup page where administrators register the external URLs that Salesforce Apex code is permitted to call via HTTP callouts. Before any Apex class can make an outbound request to an external endpoint, that endpoint's domain must be explicitly added as a Remote Site. This allowlist mechanism is a critical security control that prevents unauthorized outbound connections from the platform, ensuring that even if malicious code were injected, it could not exfiltrate data to unapproved destinations.
As organizations build more integrations -- connecting Salesforce to payment processors, shipping APIs, weather services, CRM enrichment tools, and internal microservices -- the Remote Site Settings page grows into a registry of all trusted external dependencies. Poor management of this registry creates problems in both directions: missing entries cause callout failures with cryptic 'Unauthorized endpoint' errors that waste developer time, while stale entries for decommissioned services represent unnecessary openings in the security perimeter. Mature orgs treat Remote Site Settings as part of their change management process, requiring documentation and approval before any new external endpoint is registered.
How Organizations Use Remote Site Settings
- OrbitTech — OrbitTech's developer writes an Apex class to call an external weather API but encounters an 'Unauthorized endpoint' error during testing. After adding the API domain to Remote Site Settings, the callout succeeds. This simple but crucial step is now part of their developer onboarding checklist to prevent the same issue for new team members.
- PayStream Financial — PayStream registers their payment gateway's domain in Remote Site Settings with HTTPS required. When a junior developer accidentally tries to configure an HTTP-only endpoint for a new payment provider, the system rejects the callout. This enforcement prevents sensitive payment data from being transmitted over an unencrypted connection.
- DataFusion Systems — DataFusion maintains 47 Remote Site entries across multiple integration endpoints. During a quarterly security review, they discover 12 entries pointing to decommissioned API endpoints from a vendor they no longer use. Removing these entries reduces their attack surface and simplifies their integration documentation.