Remove "Access all custom data" permission for Anonymous users.
Overview
As part of the default configuration set when installing Civi, the "Access all custom data" permission for "Anonymous" users is enabled within the CMS permissions list.
Current behaviour
By default, users are able to craft URLs and see all custom data fields exposed via Profiles without authenticating. If individual field permissions are set correctly within the Profile, then no actual data is visible, however malicious actors may use this information to probe the system further or gain meta data which could be useful, e.g. for social engineering.
Proposed behaviour
This permissions should not be enabled by default.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information