Guest User
A Guest User in Salesforce is the unauthenticated user account that anonymous, public traffic uses when interacting with a Salesforce Experience Cloud site, a Site.com site, a public-facing Visualf…
Definition
A Guest User in Salesforce is the unauthenticated user account that anonymous, public traffic uses when interacting with a Salesforce Experience Cloud site, a Site.com site, a public-facing Visualforce page, or a public Flow. Every Experience Cloud site (and the older Site.com sites) has a Guest User record automatically created when the site is published. Visitors who land on the site without logging in operate under that Guest User''s profile and field-level security. The Guest User is therefore the security boundary between the public internet and any Salesforce data the site exposes.
Salesforce treats the Guest User as a special user type with a dedicated User License (Guest User License) and a profile (Guest User Profile) that admins configure carefully. Object access, field-level security, sharing rules, and Apex with-sharing behavior all evaluate against this profile when a guest visitor takes an action on the site. Hardening the Guest User has become one of the most critical security tasks in any Experience Cloud rollout, because a misconfigured Guest profile has been the root cause of several public Salesforce data exposures.
Why Guest User security needs constant attention
One Guest User per site
Every Experience Cloud site (Customer Community, Partner Community, public help-center site) has exactly one Guest User. The user is created automatically when the site is published. The profile of that user is the Guest User Profile, also created automatically and named after the site. Admins configure object access, FLS, and tab visibility on this profile, and those settings determine what an anonymous visitor sees and can do.
The 2020-2021 Guest User security overhaul
Salesforce tightened Guest User defaults significantly starting Spring 21. The Secure Guest User Record Access setting forced sharing rules to grant access explicitly; default OWD changed to Private for new sites; and a series of critical updates retired the ability for Guest Users to update or delete records by default. The changes were a response to several high-profile data exposures where Guest profiles had Edit access to standard objects. Existing orgs received critical updates that required admin action.
Sharing rules and Guest User Sharing Rules
Guest Users no longer participate in standard role-based sharing. Records must be granted to the Guest User via explicit Guest User Sharing Rules, configured per object on the Sharing Settings page. Without an explicit rule, the Guest User cannot see records even when the OWD is Public Read. This change forces admins to make conscious decisions about exactly what data is publicly visible.
Apex with-sharing vs. without-sharing behavior
Apex code executed in the Guest User context runs with that user''s sharing model. without-sharing Apex bypasses the Guest profile entirely; this is the most dangerous pattern in any Experience Cloud site, because it lets unauthenticated traffic access any record the Apex queries. with-sharing Apex respects the Guest profile and is the right default; admins should audit every public-facing Apex controller for the keyword.
Flow runs as Guest User
Flows triggered from a public site or exposed to a Guest User run with the Guest User''s record access by default. The Run In setting on the flow can override this to System Mode, which bypasses sharing entirely. Use System Mode carefully: it removes the Guest User security layer, and any data the flow queries is visible to anonymous users.
Authentication Provider integration
Many sites use the Guest User as the entry point for an authentication flow. The visitor lands on a login or sign-up page rendered to the Guest User, completes a registration flow (often invoking Apex that creates a real User record), and is then redirected back as the authenticated user. The Guest User in this scenario is purely a temporary identity; the real security model applies once authentication completes.
Auditing Guest User access
Run the standard Guest User Access Report (Setup, Experience Cloud sites, Guest User Access Report) on every site at least quarterly. The report lists every object and field accessible to the Guest profile, every public Apex class, and every public-facing component. Anything unexpected is a security finding that needs immediate attention.
Audit and harden a Guest User profile
Hardening starts with knowing what the Guest User can currently do. The audit takes about an hour per site and yields a finite list of action items.
- Identify the Guest User and profile
Setup, Experience Cloud Sites, open each site, find the Guest User Profile link. The profile name and user record are tied to the site.
- Run the Guest User Access Report
From the site''s Workspace, open Settings, click Guest User Access Report. Export the report and read every line.
- Disable unneeded object access
On the Guest profile, set every standard and custom object to No Access unless the site needs that object. Default to denying access; grant only where required.
- Set field-level security
Within each accessible object, hide every field except the ones the site actually displays. FLS is the layer most often missed; PII fields exposed by default cause breaches.
- Audit Apex controllers and Flows
Search the codebase for without-sharing in Apex classes used by the site. Audit Flows for the Run In setting; switch System Mode flows to User Mode where possible.
- Test as the Guest User
Open the site in an incognito window. Try the actions you expect; try actions you do not expect (URL manipulation, direct record access). Anything that succeeds where it should not is a finding.
- without-sharing Apex bypasses the Guest profile entirely. Any Apex class used by a public site must be reviewed for this keyword; an oversight here is the single most common Experience Cloud data-exposure pattern.
- Flow Run In settings default to User Mode in modern flows but inherited flows may run System Mode. Audit every flow exposed to a Guest User.
- Default file sharing on Experience Cloud sites can expose Files attached to records the Guest User has access to. Check the Files setting on the site Workspace.
- The Guest User Access Report does not surface every risk. Combine it with manual penetration testing (URL guessing, record-ID enumeration) for full coverage.
Trust & references
Cross-checked against the following references.
- Guest User AccessSalesforce Help
- Secure Guest User Record AccessSalesforce Help
Straight from the source - Salesforce's reference material on Guest User.
- Experience Cloud Security OverviewSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is a Guest User?
Q2. Why is Guest User security important?
Q3. What's a best practice for Guest User configuration?
Discussion
Loading discussion…