Secure Your Experience Cloud Site

You can help keep your Experience Cloud site more secure by enabling clickjack protection, authenticating users, encrypting data, and protecting against malicious resources and vulnerabilities in components using CSP and Lightning Locker. These options allow you to maintain the security of your site while still using the external sources you need. In addition, you can use various settings and permissions to protect your data and your customers’ data, and publicly share the site with guest users.

• Sharing CRM Data in an Experience Cloud Site
  Sharing CRM data in an Experience Cloud site can seem like a daunting task. You need to consider the various layers of sharing data in an internal Salesforce org, and then add the extra security layers included in a portal or community implementation. Here’s a cheat sheet of all the resources you need when setting up data sharing for your Experience Cloud site.
• Enable Clickjack Protection in Experience Cloud Sites
  Clickjacking is a type of attack that tricks users into clicking something, such as a button or link, because they perceive it to be safe. By creating hidden iframes pointing to your Experience Cloud site pages, hackers can entice users to click an element that appears to be on a different web page. But instead of the visible element handling the click, the click is hijacked and some element of the invisible site iframe on top receives it. Clickjacking can potentially lead to data intrusion, unauthorized emails, changed credentials, or other malicious site-specific results. With clickjack protection, however, you can secure your site by controlling whether browsers allow frames pointing to your pages.
• Authenticate Experience Cloud Site Users
  You have several options for authenticating customers and employees in your Experience Cloud site. Customers are users with Community, Customer Portal, External Identity, or partner portal licenses. By default, they can log in with the username and password that Salesforce assigns them for the Experience Cloud site. Your Salesforce org’s employees are users with full Salesforce licensing capabilities. These users follow the employee login flow using their Salesforce username and password. Beyond these default settings, you can configure SAML, third-party authentication providers, or OAuth to authenticate and authorize all users accessing your site. You can also configure self-registration to use Login Discovery, which makes it easier for users to authenticate.
• Encrypt Experience Cloud Site Data
  You can add a measure of security to your Experience Cloud sites by encrypting files, attachments, and supported fields.
• CSP and Lightning Locker in Experience Builder Sites
  Experience Builder sites use Content Security Policy (CSP) and Lightning Locker to secure your site from malicious attacks and custom code vulnerabilities. CSP is a W3C standard that controls the source of content that can be loaded on your site’s pages and helps protect against cross-site scripting (XSS) attacks. Lightning Locker is a Salesforce architectural layer that allows third-party Lightning components and custom code to run safely on the same page in the browser. With different levels of security, you can optimize your site security choices and tolerance for risk.
• Experience Cloud Cookies
  Experience Cloud uses cookies to improve functionality and accelerate processing times. By saving a user’s settings, cookies can enhance the user’s experience and the performance of the Experience Cloud site.