guest-user-security-audit
Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).
Best use case
guest-user-security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).
Teams using guest-user-security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/guest-user-security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How guest-user-security-audit Compares
| Feature / Agent | guest-user-security-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Guest User Security Audit Experience Cloud sites can serve unauthenticated visitors via the **Guest User**. Historically the Guest User was provisioned with broad permissions on by default, leading to a class of public-data- exposure incidents that hit the press through the late 2010s. The **Spring '21 secure-by-default release** locked this down: object- level permissions are off by default, Modify All / View All are removed, sharing rules are required to grant any record access, and the platform actively warns when a configuration would expose data. This skill is the audit playbook. It walks the standard surfaces where guest data leakage happens and the OWASP Top 10 mapping for each. ## What changed in Spring '21 | Before Spring '21 | After Spring '21 (secure by default) | |---|---| | Guest profile could grant View All Data | Removed; cannot be granted | | Guest profile could grant Modify All Data | Removed | | Guest profile could grant Manage Users | Removed | | Object permissions on by default | Off by default | | Implicit access via OWD | Sharing rule required | | Guest could update other users' records | Blocked unless explicit sharing rule + record ownership rules | Orgs that existed before Spring '21 do not auto-migrate. They inherit grandfathered permissions until an admin removes them. The audit's first job is identifying grandfathered permissions still active. ## The leakage surfaces Even with secure-by-default, leakage can still happen through: 1. **Guest profile permissions still granted** by an admin since Spring '21 (the platform allows some grants, just with warnings). 2. **Apex with `without sharing`** runs as the guest user but bypasses sharing — guest can read records they shouldn't. 3. **`@AuraEnabled` Apex methods exposed to LWC / Aura** — the guest user's session can call them; they execute with the sharing mode of the class (`with sharing` / `without sharing` / default `inherited sharing`). 4. **REST endpoints under `/services/apexrest`** — Apex REST classes exposed publicly inherit the same sharing rules; default `without sharing` is dangerous. 5. **Public Visualforce / Sites pages** — older feature; still in use; same sharing concerns as Apex. 6. **Sharing rules granting access to records owned by guest** — the platform restricts these in modern orgs but legacy configurations may still exist. ## Standard audit surfaces | Surface | Question to ask | Tool | |---|---|---| | Guest profile permissions | What object / system permissions are still granted? | Setup -> Profiles -> Guest User -> Object / System Permissions | | Sharing rules granting to guest | Which records are shared to the guest user? | Setup -> Sharing Settings; Object's Sharing Rules; filter Type = 'Guest user' | | Apex sharing mode | Which Apex classes are `without sharing`? | Static analysis / `ApexClass.Body` SOQL | | @AuraEnabled methods | Which Apex methods are callable from LWC / Aura? | ApexClass with `@AuraEnabled` annotations | | Apex REST endpoints | Which classes expose REST? | Apex with `@RestResource(urlMapping=...)` | | Public site visibility | What pages / endpoints are reachable without login? | Setup -> Sites; Run-As-Guest test | ## OWASP Top 10 mapping The dominant risk class is **A01: Broken Access Control**. Guest user mis-grants are textbook A01. Secondary: A03 Injection (if guest-callable Apex constructs SOQL/SOSL from input), A05 Security Misconfiguration (default permissions left on), A07 Identification and Authentication Failures (insufficient guest session controls). ## Recommended Workflow 1. **Enumerate Guest Users.** Each Experience Cloud site has its own Guest User. List them via Setup -> All Sites -> per-site -> Public Access Settings (which is the per-site Guest profile clone). 2. **Audit each Guest profile's permissions.** Object permissions, system permissions, FLS. Modern target: zero object permissions unless explicit need; zero `View All` / `Modify All` (these should already be blocked by secure-by-default but legacy grants need removal). 3. **Audit sharing rules with Type = 'Guest user'.** Each rule should map to a documented business justification. Anything granting "all records" of a sensitive object is a finding. 4. **Static-analyze Apex.** Find classes with `without sharing`. Cross-check whether they are reachable by guest (called from `@AuraEnabled` method or `@RestResource` exposed to public site). 5. **Run-As-Guest the site.** Setup -> Users -> Guest User -> Login. Walk every component on every page; capture network requests. Anything returning data that shouldn't be public is a finding. 6. **Validate REST and Aura/LWC endpoints separately.** Use a tool / manual probe to call `@AuraEnabled` and Apex REST endpoints with no auth and see what returns. 7. **Prioritize remediation.** Findings that expose PII or regulated data go first. Findings that expose internal configuration go second. Map each to OWASP A01 / A03 / A05 in the report. ## What This Skill Does Not Cover | Topic | See instead | |---|---| | Authenticated Experience Cloud user mgmt | `experience/experience-cloud-user-management` | | General profile / permset design | `admin/profile-permset-design` | | Apex security at large (CRUD / FLS) | `apex/apex-with-sharing-patterns` | | Encrypted fields and Shield Platform Encryption | `security/shield-platform-encryption` |
Related Skills
visualforce-security-and-modernization
Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).
transaction-security-policies
Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.
security-incident-response
When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.
security-health-check
Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.
network-security-and-trusted-ips
Configure and audit Salesforce network security controls — trusted IP ranges (org-wide Network Access), login IP ranges on profiles, CSP Trusted Sites for Lightning components, CORS allowlists for external JavaScript, and TLS requirements — and troubleshoot login-blocked-by-IP or CSP violation errors. NOT for org-wide session settings, MFA configuration, or real-time Transaction Security Policies.
guest-user-security
Use when hardening the Experience Cloud guest user profile, controlling unauthenticated access to records and Apex, or investigating data exposure through guest SOQL. Covers object permissions, sharing model enforcement for unauthenticated users, and Apex execution context. NOT for Experience Cloud site creation (use Experience Cloud skills) or for authenticated external user security (use security/experience-cloud-security).
field-audit-trail
Salesforce Shield Field Audit Trail: configuration, retention policies, querying archived field data, compliance requirements. NOT for field history tracking (use field-history-tracking).
experience-cloud-security
Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).
connected-app-security-policies
Managing OAuth policies, IP relaxation, session security, PKCE, and credential rotation for Salesforce Connected Apps. Use when hardening Connected App security, rotating client secrets, configuring IP restrictions, or requiring high-assurance sessions. NOT for basic Connected App setup or creation. NOT for OAuth flow implementation (use oauth-flows-and-connected-apps).
api-security-and-rate-limiting
Use when configuring, auditing, or troubleshooting API rate limits, Connected App OAuth scope restriction, Connected App IP restrictions, API session policies, or API usage monitoring in a Salesforce org. Trigger keywords: 'API rate limit', '429 error', 'OAuth scope restriction', 'Connected App IP restriction', 'API usage monitoring', 'concurrent API limits', 'Bulk API limits'. NOT for OAuth flow implementation, token exchange mechanics, or general Connected App setup — use security/oauth-flows-and-connected-apps for those.
api-only-user-hardening
Provision and harden integration (API-only) users: no UI login, IP restrictions, minimum permission set, session lifetime, and monitoring. NOT for human admin account hardening.
omnistudio-security
Use when designing or reviewing OmniStudio security across OmniScripts, Integration Procedures, DataRaptors, custom LWCs, Apex actions, guest-user exposure, and outbound HTTP actions. Triggers: 'OmniStudio security', 'guest user omniscript', 'DataRaptor CRUD FLS', 'OmniStudio Apex security', 'HTTP action data exposure'. NOT for general portal identity architecture or generic Apex security reviews when OmniStudio is not the main surface.