Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Guest User Access: Site Preferences for Guest Accessing API Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Guest User Access: Site Preferences for Guest Accessing API Control

            This security preference serves as a master gate that determines whether unauthenticated visitors can interact with the underlying Salesforce Connect and public-facing REST endpoints of an Experience Cloud site.

            Control Name

            Guest User Access: Site Preferences for Guest Accessing API

            Recommended Configuration

            Set Digital Experience>All Sites>Workspace>Administration|Preferences>Allow Guest Users To Access Public API to unchecked/disabled.

            Control Overview

            This security preference serves as a master gate that determines whether unauthenticated visitors can interact with the underlying Salesforce Connect and public-facing REST endpoints of an Experience Cloud site.

            Security Risk If Not Configured

            When this access is enabled, it provides an open programmatic (API) channel for anonymous actors to query site metadata and attempt to extract record data that has been inadvertently exposed through insecure object-level permissions.

            Threat Scenarios

            An attacker uses automated scripts to hit the public API endpoints, discovering the internal structure of custom objects and systematically downloading all records that are not strictly protected by a private sharing model.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Permitting anonymous API access significantly increases the probability of high-volume data scraping and intellectual property theft, which can lead to severe regulatory penalties and a loss of competitive advantage.

            Higher Risk When

            If the guest user profile has been granted read access to objects containing sensitive business logic or if the site uses custom Apex controllers that have not been hardened for unauthenticated use.

            Low Risk When

            The site is purely static and does not use any standard or custom objects that would store sensitive or proprietary information.

            Business and Integration Considerations

            Disabling this preference may prevent certain external search engines or third-party web components from correctly indexing and showing public site content that relies on real-time API queries.

            Recommended Remediation

            Go to the Administration section of the site workspace, select Preferences, and ensure the checkbox for allowing guest users to access the public API is deselected.

            Security Health Review Guidance

            Security Health Review identifies the restriction of public API access as a mandatory architectural standard, making sure that data is only exposed through controlled user interface components rather than open and unmonitored programmatic (API) interfaces.

            See Also

             
            Loading
            Salesforce Help | Article