Hardening starts with knowing what the Guest User can currently do. The audit takes about an hour per site and yields a finite list of action items.
- Identify the Guest User and profile
Setup, Experience Cloud Sites, open each site, find the Guest User Profile link. The profile name and user record are tied to the site.
- Run the Guest User Access Report
From the site''s Workspace, open Settings, click Guest User Access Report. Export the report and read every line.
- Disable unneeded object access
On the Guest profile, set every standard and custom object to No Access unless the site needs that object. Default to denying access; grant only where required.
- Set field-level security
Within each accessible object, hide every field except the ones the site actually displays. FLS is the layer most often missed; PII fields exposed by default cause breaches.
- Audit Apex controllers and Flows
Search the codebase for without-sharing in Apex classes used by the site. Audit Flows for the Run In setting; switch System Mode flows to User Mode where possible.
- Test as the Guest User
Open the site in an incognito window. Try the actions you expect; try actions you do not expect (URL manipulation, direct record access). Anything that succeeds where it should not is a finding.
- without-sharing Apex bypasses the Guest profile entirely. Any Apex class used by a public site must be reviewed for this keyword; an oversight here is the single most common Experience Cloud data-exposure pattern.
- Flow Run In settings default to User Mode in modern flows but inherited flows may run System Mode. Audit every flow exposed to a Guest User.
- Default file sharing on Experience Cloud sites can expose Files attached to records the Guest User has access to. Check the Files setting on the site Workspace.
- The Guest User Access Report does not surface every risk. Combine it with manual penetration testing (URL guessing, record-ID enumeration) for full coverage.