Experience Cloud Developer Guide

Get Up to Speed with Experience Builder Sites
Develop Experience Builder Sites: The Basics
Customize the Look and Feel of an Experience Builder Template
Develop Secure Sites: Authenticated and Guest Users
Develop Secure Sites: Lightning Locker and CSP
Resolve Lightning Locker Conflicts in Experience Builder
Enable Third-Party Components to Run When Lightning Locker Is Off
Example: Adobe Analytics and Lightning Locker in Experience Builder Sites
Analyze and Improve Experience Builder Site Performance
Add Pardot Tracking to Your Experience Builder Site
Use a CMS with Your Experience Builder Site
Report on Deflections: The Deflection Signals Framework
Deploy an Experience Cloud Site from Sandbox to Production
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Develop Secure Sites: Lightning Locker and CSP

Experience Builder sites use Content Security Policy (CSP) and Lightning Locker to secure your site from malicious attacks and custom code vulnerabilities. Factor in the potential impact of these security features when you develop your own custom components, use third-party components, or add custom code in the head markup.

CSP

CSP is a W3C standard for controlling the source of content that can be loaded on a page. CSP rules work at the page level and apply to all third-party components and custom code. By default, the framework’s headers allow content to be loaded only from secure (HTTPS) URLs and forbid XHR requests from JavaScript.

Different levels of CSP script security are available from Experience Builder. CSP levels are specific to each site.

Lightning Locker

Lightning Locker is a powerful Salesforce security architecture that allows third-party components and custom code to run safely on the same page in the browser. Security is enhanced by:
  • Isolating code in their own namespace
  • Permitting access only to supported APIs
  • Eliminating access to non-published framework internals

Lightning Locker is enabled by default for all new Experience Builder sites. If a third-party component or custom code doesn’t work as expected due to Lightning Locker, see Resolve Lightning Locker Conflicts in Experience Builder.