Experience Cloud Developer Guide

Get Up to Speed with Experience Builder Sites
Develop Experience Builder Sites: The Basics
Brand Your Aura Site
Develop Secure Sites: Authenticated and Guest Users
Limit Declarative Access
Determine a Security Model
Limit Access to Apex Classes
Flow Security
SOQL Injection
Develop Secure Sites: CSP, LWS, and Lightning Locker
Add Pardot Tracking to Your Experience Builder Site
Use a CMS with Your Experience Builder Site
Report on Deflections: The Deflection Signals Framework
Avoid Deployment Issues When Moving to Enhanced LWR Sites
Considerations for Deploying Authenticated LWR Sites
ExperienceBundle for Experience Builder Sites
PDF

Limit Access to Apex Classes

Allow guest and external users access to only those classes that they must call.

If an Apex class contains publicly exposed methods, such as methods using @InvocableMethod, @AuraEnabled, @RestResource, or webservice, then guest and external users can invoke these methods with arbitrary parameters. But they must have permission to execute the Apex class. We recommend limiting Apex class access to users with specific permission sets or profiles. Allowing guest and external users full access to Apex classes isn’t secure. Think carefully about which users must call which Apex classes, create permission sets for these roles, and enable the Apex class for the required permission sets.