We need to add the endpoint url in remote site settings to make http callouts from apex. But for outbound messages there is no need to add the endpoint in remote site settings. Can someone please help me understand the rationale behind this? Thanks.
We need to add the endpoint url in remote site settings to make http callouts from apex. But for outbound messages there is no need to add the endpoint in remote site settings. Can someone please help me understand the rationale behind this? Thanks.
Best Answer
I'm not 100% sure on this, but I can imagine this being a reason;
If you use an outbound message, a message is sent to some endpoint and that it. There's no way of handling the response. The user who sets up the workflow in Salesforce is responsible for setting the correct endpoint, and thus making sure that no data is sent somewhere it shouldn't. The endpoint is static, set "hard coded" in the workflow
If you do a callout from Apex, a response is returned and can be handled accordingly. In my experience, it's not unthinkable that the endpoint that's used is dynamic. For instance; I wrote an integration that had a single authentication endpoint, in the authentication response an endpoint is given for subsequent requests. If the delivery of the second endpoint is somehow compromised, a third party could provide an alternative endpoint to which data is then sent. This could lead to data being sent to the wrong endpoint, or the third party could send responses that may do harm to the system. To prevent this from happening, we are required to add the endpoints that are used for Apex callouts.