Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Sites entry
How-to guide

Stand up a public Salesforce Site

Create a basic public Salesforce Site that serves a Visualforce page to unauthenticated visitors. You register a domain once, then create and activate the site and grant the guest user only the access its pages need.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

Create a basic public Salesforce Site that serves a Visualforce page to unauthenticated visitors. You register a domain once, then create and activate the site and grant the guest user only the access its pages need.

  1. Register your Sites domain

    In Setup, open Sites and register a single Salesforce Sites domain for the org. Every site you create lives under this domain, and you can later attach a custom branded domain on top of it.

  2. Create the site

    Click New, then fill in the Site Label, Site Name, and Site Contact. Choose the default web address path, pick the Active Site Home Page (a Visualforce page), and keep Require Secure Connections (HTTPS) on.

  3. Enable the pages

    In Site Visualforce Pages, add every Visualforce page the site should serve. A page that is not on this list returns an authorization error even if the guest profile allows the underlying data.

  4. Lock down the guest profile

    Open the site guest user profile. Grant Read on only the objects a page needs, set field-level security tightly, and remove access to everything else. Add a guest user sharing rule only if a page must read specific records.

  5. Activate and test

    Set the site to Active and open its URL in a private browser window with no Salesforce session. Confirm the page renders, forms submit, and no object or field you did not intend is reachable.

Key options
Active Site Home Pageremember

The Visualforce page shown at the site root. Visitors land here first, so it usually carries your main form or content.

Require Secure Connections (HTTPS)remember

Forces traffic over HTTPS. Keep this on for any page that collects visitor input or exposes data.

Clickjack Protection Levelremember

Controls whether your site pages can be framed by other domains. Tighten it to reduce clickjacking risk on public pages.

Guest user sharing ruleremember

A criteria-based rule that grants the guest user Read Only access to matching records. The only supported way to expose records beyond the Private baseline.

Gotchas
  • The guest user is shared by every anonymous visitor, so any access you grant is effectively granted to the entire internet.
  • Profile permissions alone do not protect data; enforce CRUD and field-level security in your Apex controllers with stripInaccessible or WITH SECURITY_ENFORCED.
  • A Visualforce page must be added to the site before guests can load it, regardless of profile access.
  • Sites usage is capped by page views, bandwidth, and service request time over a rolling 24-hour window, so plan for traffic spikes.

See the full Sites entry

Sites includes the definition, worked example, deep dive, related terms, and a quiz.