Enhance the Security of Your Salesforce Experience Cloud Site: A Comprehensive Checklist

Salesforce’s Experience Cloud empowers organizations to foster connections among customers, partners, and employees while safeguarding sensitive data. To ensure maximum security within your Experience Cloud environment, here’s a thorough checklist covering the top 10 settings and features to verify: 

Access to Objects and Fields for users is managed via Profiles and Permissions Sets. It’s crucial to configure Community-specific User Profiles and Permissions Sets with maximum restrictions. Each community user should only access data essential for engaging with your organization.

External org-wide defaults provide complete control over the fundamental record access for site and portal users. It’s important to note that the Default External Access setting for objects may not always be Private. We strongly advise setting the default external access to Private for all objects and subsequently granting access through other methods such as Declarative Sharing Rules or Sharing Sets.

When your Experience Cloud site is set up for public access, ensure that you secure the access unauthenticated guest users have to your organization’s data. Find out more information on how to do this.

Utilize Health Check to detect and resolve potential security vulnerabilities in your Salesforce Org settings, all conveniently managed from a single page. The “Number of Objects with Default External Access Set to Public” metric within Health Check indicates the number of objects with a default sharing model of either Public Read/Write or Public Read Only. This implies that if the Community profile has ‘Read’ or ‘Edit’ access to the object, external users can access and modify all records of that object.

To access the Security Health Check, navigate to Setup, search for “Health Check” in the Quick Find box, and select Health Check. Further details are available for your reference.

This tool serves as an additional resource to ensure that your Community security aligns with your requirements. Portal health check reports display your security-related portal settings and offer insights to enhance portal security. To access portal health check reports, navigate to Setup, enter “Portal Health Check” in the Quick Find box, and then select Portal Health Check. Further details are available for your reference.

When incorporating Custom Code or Custom components in your community, it’s essential to review the code thoroughly to eliminate any security vulnerabilities. Exercise caution when utilizing the ‘Without Sharing’ keyword.

Conduct a thorough audit of all third-party access granted to external users within your organization, and restrict access solely to apps and associated components, such as custom objects, Apex code, and Visualforce pages, that are essential for their needs. Additionally, regularly review and remove any third-party apps that have been discontinued from your organization.

Limit the size and formats of files allowed for upload by your members. This list of acceptable file types empowers you to manage uploads effectively and prevents spammers from inundating your Experience Cloud site with unsuitable files.

You can configure these settings within your Experience Builder Site’s Community Workspace under Administration > Preferences.

Clickjacking involves deceiving users into clicking elements, like buttons or links, by making them appear safe. Hackers achieve this by creating hidden iframes that point to pages on your Experience Cloud site, tricking users into interacting with seemingly innocuous elements. However, instead of the visible element responding to the click, it’s intercepted by an invisible iframe overlaying the page. Clickjacking can result in various malicious actions, including data breaches, unauthorized emails, altered credentials, or other harmful outcomes specific to the site.

Implementing clickjack protection enhances your site’s security by enabling you to regulate whether browsers permit frames linking to your pages. For further information, refer to our resources.

Select a security level to manage script execution on your Experience Builder site and determine the sharing of data by third-party components and custom code. It is recommended to set it to Strict CSP for the highest level of security and to enable Lightning Locker to further enhance security measures. For additional details, please refer to our resources

By meticulously reviewing and implementing these security measures, you can fortify your Salesforce Experience Cloud site against potential threats and ensure the integrity of your organization’s data and interactions. For detailed instructions and further information on each topic, refer to the provided Salesforce documentation links.