SOAP API Developer Guide

Introduction to SOAP API
Reference
Using the API with Salesforce Features
Implementation Considerations
Objects and SOAP API Calls and Headers for Apex
Outbound Messaging
Understanding Outbound Messaging
Understanding Notifications
Setting Up Outbound Messaging
Considerations for Security
Understanding the Outbound Messaging WSDL
Building a Listener
Data Loading and Integration
Data Replication
Feature-Specific Considerations
Glossary
PDF

Considerations for Security

To use outbound messaging, ensure that no third party can send messages to the endpoint while pretending to be from Salesforce:

  • Lock down the client application’s listener to accept requests only from Salesforce IP ranges. While this action guarantees that the message came from Salesforce, it doesn’t guarantee that another customer isn’t pointing to your endpoint and sending messages. For an up-to-date list of Salesforce IP ranges, see https://help.salesforce.com/articleView?id=000321501&type=1&mode=1
  • Use SSL/TLS. Using SSL/TLS provides confidentiality while data is transported across the internet. Without it, a malicious third party can eavesdrop on your data. This issue is especially important if you pass data with privacy requirements and you pass a SessionId with the message. Also, we authenticate the certificate presented on connection, ensure that it is from a valid Certificate Authority, and check that the domain in the certificate matches the one Salesforce is trying to connect. This validation prevents us from communicating with the wrong endpoint.
  • When you select Send Session ID, only HTTPS is supported for the endpoint URL to ensure secure transmission of the session ID. For managed and unmanaged packages created before Spring ’19 with this option but without an HTTPS endpoint, subscribers can still install them. Starting in Spring ’19, you can’t create packages with insecure outbound message options.
  • The SessionId included in the outbound message is scoped only for API requests and doesn’t apply to UI requests.
  • If the configuration of your application (endpoint) server's SSL/TLS allows, validate the identity of the Salesforce server when it takes the role of a client to your server, using the Salesforce client certificate. For instructions to download the certificate, see Downloading the Salesforce Client Certificate.
  • The organization Id is included in each message. For more information about the Id field type, see ID Field Type. In your client application, validate that messages contain your organization Id.