Enhance the Security of Your Salesforce Experience Cloud Site: A Comprehensive Checklist
Salesforce’s Experience Cloud empowers organizations to foster connections among customers, partners, and employees while safeguarding sensitive data. To ensure maximum security within your Experience Cloud environment, here’s a thorough checklist covering the top 10 settings and features to verify:
01. Review the Object and Field Access for Community Users
Access to Objects and Fields for users is managed via Profiles and Permissions Sets. It’s crucial to configure Community-specific User Profiles and Permissions Sets with maximum restrictions. Each community user should only access data essential for engaging with your organization.
02. Assess External Org-Wide Sharing Settings
External org-wide defaults provide complete control over the fundamental record access for site and portal users. It’s important to note that the Default External Access setting for objects may not always be Private. We strongly advise setting the default external access to Private for all objects and subsequently granting access through other methods such as Declarative Sharing Rules or Sharing Sets.
03. Validate Guest User Access
When your Experience Cloud site is set up for public access, ensure that you secure the access unauthenticated guest users have to your organization’s data. Find out more information on how to do this.
04. Utilize the Health Check tool to check on Objects exposed to External Users
Utilize Health Check to detect and resolve potential security vulnerabilities in your Salesforce Org settings, all conveniently managed from a single page. The “Number of Objects with Default External Access Set to Public” metric within Health Check indicates the number of objects with a default sharing model of either Public Read/Write or Public Read Only. This implies that if the Community profile has ‘Read’ or ‘Edit’ access to the object, external users can access and modify all records of that object.
To access the Security Health Check, navigate to Setup, search for “Health Check” in the Quick Find box, and select Health Check. Further details are available for your reference.
05. Perform Portal Health Checks
This tool serves as an additional resource to ensure that your Community security aligns with your requirements. Portal health check reports display your security-related portal settings and offer insights to enhance portal security. To access portal health check reports, navigate to Setup, enter “Portal Health Check” in the Quick Find box, and then select Portal Health Check. Further details are available for your reference.
06. Ensure Custom Code Compliance
When incorporating Custom Code or Custom components in your community, it’s essential to review the code thoroughly to eliminate any security vulnerabilities. Exercise caution when utilizing the ‘Without Sharing’ keyword.
07. Audit Third-Party Access to Your Salesforce Org
Conduct a thorough audit of all third-party access granted to external users within your organization, and restrict access solely to apps and associated components, such as custom objects, Apex code, and Visualforce pages, that are essential for their needs. Additionally, regularly review and remove any third-party apps that have been discontinued from your organization.
08. Implement File Upload Restrictions
Limit the size and formats of files allowed for upload by your members. This list of acceptable file types empowers you to manage uploads effectively and prevents spammers from inundating your Experience Cloud site with unsuitable files.
You can configure these settings within your Experience Builder Site’s Community Workspace under Administration > Preferences.
09. Enable Clickjack Protection for Experience Builder Sites
Clickjacking involves deceiving users into clicking elements, like buttons or links, by making them appear safe. Hackers achieve this by creating hidden iframes that point to pages on your Experience Cloud site, tricking users into interacting with seemingly innocuous elements. However, instead of the visible element responding to the click, it’s intercepted by an invisible iframe overlaying the page. Clickjacking can result in various malicious actions, including data breaches, unauthorized emails, altered credentials, or other harmful outcomes specific to the site.
Implementing clickjack protection enhances your site’s security by enabling you to regulate whether browsers permit frames linking to your pages. For further information, refer to our resources.
10. Establish Content Security Policy (CSP)
Select a security level to manage script execution on your Experience Builder site and determine the sharing of data by third-party components and custom code. It is recommended to set it to Strict CSP for the highest level of security and to enable Lightning Locker to further enhance security measures. For additional details, please refer to our resources
By meticulously reviewing and implementing these security measures, you can fortify your Salesforce Experience Cloud site against potential threats and ensure the integrity of your organization’s data and interactions. For detailed instructions and further information on each topic, refer to the provided Salesforce documentation links.
With the rapid evolution of technology, Salesforce solutions are ever-changing and improving features. Contact our team for up-to-date information.