Securing Salesforce Digital Experiences, Matt Meyers

Securing Salesforce Digital Experiences, Matt Meyers

Surprising how a book can scare me. As a Salesforce CTA I obviously know everything about the platform and its security, still Matt was able to scare me in a few first pages.

… presenting at local Salesforce Dreamin’ events, informing people about my story and showing them how a hacker performed this attack. During each session, I polled the audience to better understand their awareness of Salesforce security in general. To my surprise, I found most people were overconfident about the security of their Salesforce implementations, and only a select few even knew about this type of attack.


When a few releases back Salesforce started to limit the guest user capabilities I wasn’t happy, as probably a lot of people. We probably overused it on a few projects as a way to give unauthenticated users an extra set of functionality, starting it with ability to add and later update records in SF or just query some extra records, where the full authentication wasn’t really considered as a must and worth the money.

Blocking API access, closely monitoring which objects we giving the access to and we felt save. Untill I read this book.

Additionally, there is an option on the user profile called “API Enabled” that, when disabled, blocks all external access to these APIs. This is what we did in our case. We had “API Enabled” turned off, so as far as we knew, no one could access the data via any APIs.

Salesforce Lightning Experience, which is the user interface that powered our Salesforce Digital Experience portal, used a significant number of microservice application programming interfaces, or APIs,  to display the data and user interface layouts. Salesforce did not document these APIs, as they were not designed for use directly by Salesforce’s customers.

Undocumented API, which works even when the API access is disabled? AuraEnabled classes, which means that anyone can freely call them? Grouping methods in a classes in a functional way instead of which persona should be able to use them – maybe that’s another reason why Salesforce restricted guest user to access classes unless specifically given permission.

The book is short but intense, the intro chapter lying out the story of data leak is scary, the solution looks surprisingly short and easy even though I understand it had to be a long and intense week to fix things up. And a tons of bonuses including video how you can test your site or description of all relevant settings you might want to consider when setting up the Experience Cloud.

Overall recommended reading which you can buy from Matt directly. And the related article at the Cactusforce is great read as well.

Leave a Reply