Hardcoded URLs in Apex code create several problems that affect maintainability, security, and reliability.
When URLs are embedded directly in the code as string literals, they become difficult to manage across different environments. Development,
staging, and production environments often use different endpoints, and hardcoded URLs require code changes to switch between them.
For Salesforce instance URLs specifically, hardcoding creates a critical issue with My Domain enforcement. Salesforce is phasing out legacy host
names and requiring all API calls to use My Domain URLs. Hardcoded instance URLs like na1.salesforce.com will break when My Domain
enforcement is applied, causing API failures and integration issues.
External service URLs present additional challenges. Hardcoded external endpoints make it difficult to implement proper security controls, rotate
API endpoints, or manage different service configurations across environments. They also make the code less flexible and harder to test with mock
services.
From a security perspective, hardcoded URLs can expose sensitive endpoints in the source code and make it harder to implement centralized URL
management and monitoring.
What is the potential impact?
Applications may break when Salesforce enforces My Domain requirements, causing API failures and integration issues. Hardcoded external URLs reduce
flexibility in managing different environments and make it difficult to implement proper security controls or rotate endpoints when needed.
