{"id":7784,"date":"2023-04-29T22:38:54","date_gmt":"2023-04-30T02:38:54","guid":{"rendered":"https:\/\/www.jitendrazaa.com\/blog\/?p=7784"},"modified":"2023-05-01T16:28:50","modified_gmt":"2023-05-01T20:28:50","slug":"7-ways-to-secure-experience-cloud","status":"publish","type":"post","link":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/7-ways-to-secure-experience-cloud\/","title":{"rendered":"7 Ways to Secure Experience Cloud"},"content":{"rendered":"\n<p class=\"justify\"><a href=\"https:\/\/www.jitendrazaa.com\/blog\/tag\/experience-cloud\/\">Experience cloud<\/a> is a powerful feature on the Salesforce platform where you can expose a subset of data and capabilities for external users as well as some capabilities for unauthenticated public users. This extremely powerful capability comes with huge responsibility, which is setting up the right security.<\/p>\n\n\n\n<p class=\"justify\">By this time, you must have heard <a href=\"https:\/\/arstechnica.com\/information-technology\/2023\/04\/misconfigured-servers-running-salesforce-software-are-leaking-sensitive-data\/\">many news like this<\/a> where the Salesforce experience cloud is leaking information.  As <a href=\"https:\/\/www.ibm.com\/reports\/data-breach?utm_content=SRCWW&amp;p1=Search&amp;p4=43700072379268754&amp;p5=e&amp;gclid=Cj0KCQjwgLOiBhC7ARIsAIeetVBWy5pG1Rexzcpd4-AEPK0Nbo1Txoxbj7AeA6UEFfeKgxW5Wm0zDrAaAtXKEALw_wcB&amp;gclsrc=aw.ds\">per this IBM study<\/a>, the average cost of a data breach is around 10M.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-very-light-gray-to-cyan-bluish-gray-gradient-background has-background\"><strong>Let me clarify, Salesforce is not leaking the information, but the bad implementation is.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"justify\">Coincidently, beginning this year, I did a health check for one of my customers, and the biggest flag I raised was in experience cloud security. That analysis is still fresh, and I would like to jot it down in this blog post. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. Org Wide Default settings for external users<\/h4>\n\n\n\n<p class=\"justify\">This is no brainer for anyone in the Salesforce ecosystem, The OWD for external users should be set to the most restrictive setting possible to minimize the risk of unauthorized access to sensitive information. <\/p>\n\n\n\n<!--more-->\n\n\n\n<h4 class=\"wp-block-heading\">2. Open up Security using standard &amp; recommended way<\/h4>\n\n\n\n<p class=\"justify\">Take the help of <strong>Role<\/strong> to open security for external authenticated users followed by sharing rules or sharing sets. Do not forget each experience cloud site has its dedicated guest user that can be used in Sharing rule, an extremely powerful feature for security.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">3. Choosing the Right License<\/h4>\n\n\n\n<p class=\"justify\">Depending on license type like High Volume Customer Community, Customer Community Plus &amp; Partner Community object access is decided. Therefore profile can be used to control access to objects, fields, etc. Always go with the mindset of least access and then open up the field, record type, etc, access as needed, do not follow the principle of the benefit of the doubt in security. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4. Avoid Saving License Costs Using Customizations<\/h4>\n\n\n\n<p class=\"justify\">This is the most common reason for security breaches in the experience cloud. Just to save the license cost, developers end up creating custom LWC, Aura, or Visualforce and exposing them publicly. Using this approach, wonders can happen. Like updating an Account without login, however, with some play with the parameter, it could very easily expose data to the external world. Make sure every Apex class that is written follows all security best practices like using <strong>with sharing<\/strong> keyword, <a href=\"https:\/\/developer.salesforce.com\/docs\/atlas.en-us.apexcode.meta\/apexcode\/apex_classes_with_security_stripInaccessible.htm\">stripInaccessible method<\/a> , avoiding dynamic SOQL, enforcing <a href=\"https:\/\/developer.salesforce.com\/docs\/atlas.en-us.apexcode.meta\/apexcode\/apex_classes_enforce_usermode.htm\">user mode<\/a> for database operations, filter SOQL queries <a href=\"https:\/\/developer.salesforce.com\/docs\/atlas.en-us.apexcode.meta\/apexcode\/apex_classes_with_security_enforced.htm\">WITH SECURITY_ENFORCED<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">5. Regularly Run Security Scans<\/h4>\n\n\n\n<p class=\"justify\">Use tools like Salesforce event monitoring, Transaction policy, CheckMarx, IBM Qradar, etc, to regularly scan code, user behavior, etc., to identify potential vulnerabilities and take appropriate action to address them. Monitoring unauthenticated user behavior is extremely complicated, but tools like Google Analytics can help in profiling user patterns and behavior. <\/p>\n\n\n\n<p>Run <a href=\"https:\/\/help.salesforce.com\/s\/articleView?id=sf.security_phc_overview.htm&amp;type=5\">Portal Health Check<\/a> frequently and act as per Salesforce recommendations (sample report below).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=1024%2C363&#038;ssl=1\" alt=\"Portal Health Check Report\" class=\"wp-image-7793\" width=\"1024\" height=\"363\" srcset=\"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=1024%2C363&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=300%2C106&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=768%2C272&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=1536%2C544&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/05\/Portal-Health-Check.png?resize=2048%2C726&amp;ssl=1 2048w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">6. Session Time Out<\/h4>\n\n\n\n<p class=\"justify\">Setting an appropriate user timeout in Salesforce session settings is an important aspect of securing Salesforce Experience Cloud. By setting a user timeout, you can automatically log users out of the system after a specified period of inactivity, helping to protect against unauthorized access.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">7. Enable Multi-Factor Authentication<\/h4>\n\n\n\n<p class=\"justify\">Multi-factor authentication (MFA) is an important aspect of securing Salesforce Experience Cloud, as it adds an additional layer of security to the login process. MFA requires users to provide two or more forms of authentication, such as a password and a security token, to access the system.<\/p>\n\n\n\n<p class=\"justify\">It is important to ensure that every user in the Salesforce org, both internal and external, is using MFA, even if they are using single sign-on (SSO). While SSO provides a convenient way for users to access multiple systems with a single login, it does not provide the same level of security as MFA.<\/p>\n\n\n\n<p class=\"justify\">Security breaches don&#8217;t announce themselves, but the damage they cause will be loud and clear an could result in the <a href=\"https:\/\/www.getastra.com\/blog\/911\/4-times-companies-were-forced-to-shut-down-due-to-hackers\/\">demise of the whole organization<\/a>.  <\/p>\n\n\n\n<p>If you have anything else to add, please feel free to post in the comment below.<\/p>\n\n\n\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Experience cloud is a powerful feature on the Salesforce platform where you can expose a subset of data and capabilities for external users as well as some capabilities for unauthenticated public users. This extremely powerful capability comes with huge responsibility, which is setting up the right security. By this time, you must have heard many [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"jz_research_post":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[547,348,544,548,364],"class_list":["post-7784","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-salesforce","tag-architecture","tag-best-practices","tag-experience-cloud","tag-mfa","tag-security"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/7-Ways-to-Secure-Experience-Cloud.png?fit=2240%2C1260&ssl=1","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":7778,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/when-to-use-multiple-experience-cloud-vs-audience\/","url_meta":{"origin":7784,"position":0},"title":"When to use Multiple Experience Cloud vs Audience","author":"Jitendra","date":"April 26, 2023","format":false,"excerpt":"What to use for user segmentation in Salesforce - multiple Experience Cloud vs Audience","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce experience cloud vs Audience","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/Salesforce-experieince-cloud.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/Salesforce-experieince-cloud.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/Salesforce-experieince-cloud.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/Salesforce-experieince-cloud.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2023\/04\/Salesforce-experieince-cloud.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":31119,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-mobile-offline-complete-guide-2026-briefcase-2\/","url_meta":{"origin":7784,"position":1},"title":"Salesforce Mobile Offline Complete Guide 2026 | Briefcase Builder, LWC Offline &amp; Best Practices","author":"Jitendra Zaa","date":"January 15, 2026","format":false,"excerpt":"Master Salesforce Mobile Offline in 2026: Complete guide covering Briefcase Builder, LWC Offline, Mobile App Plus, data priming, sync, and governor limits. Learn offline architecture, conflict resolution, and best practices with official Salesforce sources.","rel":"","context":"In &quot;Experience&quot;","block_context":{"text":"Experience","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/experience\/"},"img":{"alt_text":"Salesforce Mobile Offline Complete Guide 2026 - Featured Image","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/Salesforce-Mobile-Offline-Complete-Guide-featured.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":4721,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/list-of-ide-available-for-salesforce-coding\/","url_meta":{"origin":7784,"position":2},"title":"List of IDE available for Salesforce coding","author":"Jitendra","date":"July 17, 2015","format":false,"excerpt":"List of all major IDE like Eclipse, Welkins, Cloud9 etc to code Apex, Visualforce, Trigger and lightning components in Salesforce","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce Cloud9 IDE","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/07\/Salesforce-Cloud9-IDE.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/07\/Salesforce-Cloud9-IDE.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/07\/Salesforce-Cloud9-IDE.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/07\/Salesforce-Cloud9-IDE.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2015\/07\/Salesforce-Cloud9-IDE.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":30625,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-lwr-experience-cloud-a-candid-architects-guide\/","url_meta":{"origin":7784,"position":3},"title":"Salesforce LWR Experience Cloud: A Candid Architect&#8217;s Guide","author":"Jitendra Zaa","date":"December 16, 2025","format":false,"excerpt":"An honest, in-depth analysis of Salesforce Lightning Web Runtime (LWR) for Experience Cloud. Learn about real-world limitations, migration challenges, and when LWR is the right choice.","rel":"","context":"In &quot;Experience&quot;","block_context":{"text":"Experience","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/experience\/"},"img":{"alt_text":"Salesforce LWR Experience Cloud","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-LWR-Experience-Cloud.png?fit=1200%2C290&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-LWR-Experience-Cloud.png?fit=1200%2C290&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-LWR-Experience-Cloud.png?fit=1200%2C290&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-LWR-Experience-Cloud.png?fit=1200%2C290&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-LWR-Experience-Cloud.png?fit=1200%2C290&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":30924,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-energy-utilities-cloud-complete-admin-guide\/","url_meta":{"origin":7784,"position":4},"title":"Ultimate Guide to Salesforce Energy &#038; Utilities Cloud for Admins","author":"Jitendra Zaa","date":"January 1, 2026","format":false,"excerpt":"Master Salesforce Energy & Utilities Cloud with this comprehensive guide. Learn about the Vlocity-to-Salesforce Industries evolution, data model architecture with Shivanya persona walkthrough, OmniStudio capabilities, Agentforce AI integration, and real-world success stories from ENGIE and British Gas.","rel":"","context":"In &quot;Salesforce&quot;","block_context":{"text":"Salesforce","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/salesforce\/"},"img":{"alt_text":"Salesforce Energy & Utilities Cloud Complete Admin Guide - Featured Image","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-energy-utilities-cloud-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-energy-utilities-cloud-featured.png?fit=1200%2C675&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-energy-utilities-cloud-featured.png?fit=1200%2C675&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-energy-utilities-cloud-featured.png?fit=1200%2C675&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2026\/01\/salesforce-energy-utilities-cloud-featured.png?fit=1200%2C675&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":30732,"url":"https:\/\/www.jitendrazaa.com\/blog\/salesforce\/salesforce-b2c-commerce-cloud-complete-guide\/","url_meta":{"origin":7784,"position":5},"title":"Salesforce B2C Commerce Cloud Complete Guide","author":"Jitendra Zaa","date":"December 19, 2025","format":false,"excerpt":"Master Salesforce B2C Commerce Cloud with this comprehensive guide. Learn about Demandware's evolution, SFRA vs Headless architecture, Einstein AI capabilities, Cyber Week performance data (2020-2025), implementation best practices, and real-world customer success stories from Adidas, Puma, and L'Or\u00e9al.","rel":"","context":"In &quot;Mulesoft&quot;","block_context":{"text":"Mulesoft","link":"https:\/\/www.jitendrazaa.com\/blog\/category\/integration\/mulesoft\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-B2C-Commerce-Cloud-Complete-Guide-featured.png?fit=1200%2C630&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-B2C-Commerce-Cloud-Complete-Guide-featured.png?fit=1200%2C630&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-B2C-Commerce-Cloud-Complete-Guide-featured.png?fit=1200%2C630&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-B2C-Commerce-Cloud-Complete-Guide-featured.png?fit=1200%2C630&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.jitendrazaa.com\/blog\/wp-content\/uploads\/2025\/12\/Salesforce-B2C-Commerce-Cloud-Complete-Guide-featured.png?fit=1200%2C630&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/7784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/comments?post=7784"}],"version-history":[{"count":6,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/7784\/revisions"}],"predecessor-version":[{"id":7794,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/posts\/7784\/revisions\/7794"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/media\/7785"}],"wp:attachment":[{"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/media?parent=7784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/categories?post=7784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jitendrazaa.com\/blog\/wp-json\/wp\/v2\/tags?post=7784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}