Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            API Access Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            API Access Control

            This control removes the "API Enabled" system permission from unauthenticated guest user profiles.

            Control Name

            API Access

            Recommended Configuration

            Disable API Access in Guest user profile.

            Control Overview

            This control removes the "API Enabled" system permission from unauthenticated guest user profiles, preventing anonymous users from accessing Salesforce data through programmatic interfaces like the REST or SOAP APIs.

            Security Risk If Not Configured

            When enabled, an anonymous attacker can use standard Salesforce API endpoints to systematically probe your org's metadata and attempt to extract records that might be inadvertently exposed through loose sharing rules.

            Threat Scenarios

            A malicious actor uses a script to scan the endpoints of your public site, discovering sensitive object names or fields and downloading all records they have "Read" access to without ever needing to log in.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Permitting API access to unauthenticated users significantly increases the risk of large-scale data exfiltration and automated "scraping" of your org, which can lead to major privacy violations and regulatory fines.

            Higher Risk When

            If the Guest User profile has "Read" access to objects containing Personally Identifiable Information (PII) or if the "Secure guest user record access" setting has been manually bypassed.

            Low Risk When

            If the company has already restricted the Guest User to zero object permissions and has enforced a "Private" sharing model that denies access to all records by default.

            Business and Integration Considerations

            Disabling this permission may break custom front-end components or external integrations that rely on making unauthenticated API calls to your site to show public information like product catalogs or store locations.

            Recommended Remediation

            • 1. Uncheck "Allow guest users to access public APIs" in site settings.
            • 2. Uncheck “API Enabled” in the Guest Profile.

            Security Health Review Guidance

            Security Health Review identifies the removal of guest API access as a mandatory step for reducing the available attack surface, making sure that public sites only provide data through authorized user interface components rather than open programmatic channels.

            See Also

             
            Loading
            Salesforce Help | Article