Salesforce LWR Experience Cloud: A Candid Architect’s Guide

Jitendra Zaa — Tue, 16 Dec 2025 19:06:24 +0000

ARCHITECT'S GUIDE

Salesforce LWR Experience Cloud

A candid, implementation-tested guide to Lightning Web Runtime. Learn what the marketing doesn't tell you about limitations, migration challenges, and when LWR is the right choice.

7
Critical Limitations

500
Max Routes per Site

0
Generic Record Pages

~50%
Faster Page Loads

1
What is Lightning Web Runtime (LWR)?

Lightning Web Runtime is Salesforce's next-generation framework for building Experience Cloud sites. According to the official Salesforce developer documentation, unlike Aura-based sites that render components dynamically at runtime, LWR takes a fundamentally different approach by pre-compiling and caching static content during the publish process.

Core Promises of LWR

Sub-second Page Loads

Through static content delivery and CDN caching, LWR delivers significantly faster page loads than Aura sites.

Standards-Based Development

Built on modern web technologies (HTML, JavaScript, CSS) without proprietary abstractions.

Enhanced Security

Uses Lightning Web Security (LWS) instead of Lightning Locker for better component isolation.

Future-Proofing

All new Experience Cloud features and enhancements will be built exclusively for LWR.

...

→ Read the full article on jitendrazaa.com

7 Ways to Secure Experience Cloud

Jitendra — Sun, 30 Apr 2023 02:38:54 +0000

Experience cloud is a powerful feature on the Salesforce platform where you can expose a subset of data and capabilities for external users as well as some capabilities for unauthenticated public users. This extremely powerful capability comes with huge responsibility, which is setting up the right security.

By this time, you must have heard many news like this where the Salesforce experience cloud is leaking information. As per this IBM study, the average cost of a data breach is around 10M.

Let me clarify, Salesforce is not leaking the information, but the bad implementation is.

Coincidently, beginning this year, I did a health check for one of my customers, and the biggest flag I raised was in experience cloud security. That analysis is still fresh, and I would like to jot it down in this blog post.

1. Org Wide Default settings for external users

This is no brainer for anyone in the Salesforce ecosystem, The OWD for external users should be set to the most restrictive setting possible to minimize the risk of unauthorized access to sensitive information.

2. Open up Security using standard & recommended way

Take the help of Role to open security for external authenticated users followed by sharing rules or sharing sets. Do not forget each experience cloud site has its dedicated guest user that can be used in Sharing rule, an extremely powerful feature for security.

3. Choosing the Right License

Depending on license type like High Volume Customer Community, Customer Community Plus & Partner Community object access is decided. Therefore profile can be used to control access to objects, fields, etc. Always go with the mindset of least access and then open up the field, record type, etc, access as needed, do not follow the principle of the benefit of the doubt in security.

4. Avoid Saving License Costs Using Customizations

This is the most common reason for security breaches in the experience cloud. Just to save the license cost, developers end up creating custom LWC, Aura, or Visualforce and exposing them publicly. Using this approach, wonders can happen. Like updating an Account without login, however, with some play with the parameter, it could very easily expose data to the external world. Make sure every Apex class that is written follows all security best practices like using with sharing keyword, stripInaccessible method , avoiding dynamic SOQL, enforcing user mode for database operations, filter SOQL queries WITH SECURITY_ENFORCED.

5. Regularly Run Security Scans

Use tools like Salesforce event monitoring, Transaction policy, CheckMarx, IBM Qradar, etc, to regularly scan code, user behavior, etc., to identify potential vulnerabilities and take appropriate action to address them. Monitoring unauthenticated user behavior is extremely complicated, but tools like Google Analytics can help in profiling user patterns and behavior.

Run Portal Health Check frequently and act as per Salesforce recommendations (sample report below).

6. Session Time Out

Setting an appropriate user timeout in Salesforce session settings is an important aspect of securing Salesforce Experience Cloud. By setting a user timeout, you can automatically log users out of the system after a specified period of inactivity, helping to protect against unauthorized access.

7. Enable Multi-Factor Authentication

Multi-factor authentication (MFA) is an important aspect of securing Salesforce Experience Cloud, as it adds an additional layer of security to the login process. MFA requires users to provide two or more forms of authentication, such as a password and a security token, to access the system.

It is important to ensure that every user in the Salesforce org, both internal and external, is using MFA, even if they are using single sign-on (SSO). While SSO provides a convenient way for users to access multiple systems with a single login, it does not provide the same level of security as MFA.

Security breaches don’t announce themselves, but the damage they cause will be loud and clear an could result in the demise of the whole organization.

If you have anything else to add, please feel free to post in the comment below.

Architecture – Jitendra Zaa