Skip to main content

Code reviews rule: Insecure endpoint callouts

Written by David Martin
Updated yesterday

Insecure endpoint callouts

Why is this an issue?

Using HTTP instead of HTTPS for external callouts exposes data to interception through man-in-the-middle attacks. Sensitive information such as authentication tokens, API keys, and business data can be captured by attackers monitoring network traffic.

Examples

Example of incorrect code:

Http http = new Http();
HttpRequest request = new HttpRequest();
request.setEndpoint('http://api.example.com/data');
request.setMethod('GET');
HttpResponse response = http.send(request);

Example of correct code using HTTPS:

Http http = new Http();
HttpRequest request = new HttpRequest();
request.setEndpoint('https://api.example.com/data');
request.setMethod('GET');
HttpResponse response = http.send(request);

Example of correct code using Named Credentials (recommended):

Http http = new Http();
HttpRequest request = new HttpRequest();
request.setEndpoint('callout:ExampleAPI/data');
request.setMethod('GET');
HttpResponse response = http.send(request);

Example of incorrect Remote Site Setting:

<RemoteSiteSetting>
    <fullName>ExampleAPI</fullName>
    <url>http://api.example.com</url>
    <isActive>true</isActive>
</RemoteSiteSetting>

Example of correct Remote Site Setting:

<RemoteSiteSetting>
    <fullName>ExampleAPI</fullName>
    <url>https://api.example.com</url>
    <isActive>true</isActive>
</RemoteSiteSetting>

How can I fix violations?

  1. Use HTTPS endpoints: Change all endpoint URLs from http:// to https://.

  2. Update Remote Site Settings: Ensure all Remote Site Settings use HTTPS URLs. This rule supports autofix for Remote Site Settings, which updates the URL to HTTPS and sets disableProtocolSecurity to false.

  3. Use Named Credentials: Named Credentials enforce secure connections and simplify endpoint management.

Resources

Related Articles
Code reviews rule: Apex Not Using My Domain Login URL
Code reviews rule: Hardcoded secrets
Code reviews rule: Missing custom metadata description
Code reviews rule: Insecure contents
Code reviews rule: Hardcoded callouts authentication
Did this answer your question?