Open CTI and Security

We recommend that all Open CTI implementations use HTTPS in the reqAdapterUrl element in their call center definition file. Using HTTPS ensures that traffic between your telephony server and Salesforce is encrypted.

By using HTTPS, Open CTI inherits all the benefits of browser and cloud-based security because it points directly to the softphone provider using a secure connection. When users access the softphone on any Salesforce page, it’s displayed in an iFrame and all messages from the softphone to Salesforce are sent via Window.postMessage() methods. For each message sent, the target is restricted to Salesforce. For each message received, Salesforce verifies its format and the sender origin.

For Salesforce Classic console apps, if your CTI phone is running on a server with a non-standard port, make sure to include the port number in your domain. For example, if your server is called myserver and your port number is 8500, include myserver:8500 as an allowed URL in your Salesforce console. This setting doesn’t apply for Lightning console apps.