Experience Cloud Developer Guide
Summer '26 (API version 67.0)
Spring '26 (API version 66.0)
Winter '26 (API version 65.0)
Summer '25 (API version 64.0)
Spring '25 (API version 63.0)
Winter '25 (API version 62.0)
Summer '24 (API version 61.0)
Spring '24 (API version 60.0)
Winter '24 (API version 59.0)
Summer '23 (API version 58.0)
Spring '23 (API version 57.0)
Winter '23 (API version 56.0)
Summer '22 (API version 55.0)
Spring '22 (API version 54.0)
Winter '22 (API version 53.0)
Summer '21 (API version 52.0)
Spring '21 (API version 51.0)
Winter '21 (API version 50.0)
Summer '20 (API version 49.0)
Spring '20 (API version 48.0)
Winter '20 (API version 47.0)
Summer '19 (API version 46.0)
Spring '19 (API version 45.0)
Winter '19 (API version 44.0)
Summer '18 (API version 43.0)
Spring '18 (API version 42.0)
Winter '18 (API version 41.0)
Summer '17 (API version 40.0)
Limit Declarative Access
Limit Access to Apex Classes
Flow Security
SOQL Injection
Add Pardot Tracking to Your Experience Builder Site
Use a CMS with Your Experience Builder Site
Avoid Deployment Issues When Moving to Enhanced LWR Sites
Considerations for Deploying Authenticated LWR Sites
ExperienceBundle for Experience Builder Sites
Develop Secure Sites: Authenticated and Guest Users
When implementing an Experience Cloud site accessible by external and unauthenticated
guest users, keep these security considerations in mind. External users have login privileges to
your Experience Cloud site, but they can’t access your internal Salesforce org. A guest user is
anyone on the internet who can visit the publicly accessible pages and components of your
Experience Cloud site.
-
Limit Declarative Access
Granting permission to view an object allows external users to view that object using standard controllers. Standard controllers are available in Experience Builder sites and Salesforce Tabs + Visualforce sites that have Lightning features enabled. These controllers grant access based solely on the platform declarative permissions. -
Determine a Security Model
For every use case, determine whether to implement a custom access control model or to rely on the declarative platform access control model. We recommend using the platform declarative access control model when possible. However, sometimes your requirements call for a custom access control model. -
Limit Access to Apex Classes
Allow guest and external users access to only those classes that they must call. -
Flow Security
If guest or external users must run flows, override the flow permission to grant access only to specific external user profiles, permission sets, or site guest user profiles, rather than allowing users to run all flows. Avoid running flows in system context when possible, and restrict access to subflows. Otherwise, ensure that you implement procedural access controls for those flows and subflows. -
SOQL Injection
Sanitize user-controlled data passed into dynamic SOQL queries.