Limit access to .XML, .XSLT, and .MRT files

Current version: 8.1

To improve the security of your Sitecore installation, you must edit the web.config file. This file is stored in the Website folder of your installation, for example at: C:\Inetpub\wwwroot\YourWebsite\Website.

To limit access to .XML, .XSLT, and .MRT files:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, add the following lines:

    RequestResponse
    <system.webServer>
      <handlers>
        <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
        <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
        <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
        <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>

This restricts access to all .XML, .XSLT, and .MRT files.

To allow a specific file path to be accessed in an unrestricted manner, such as, /sitemap.xml:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line:

    RequestResponse
    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />

Do you have some feedback for us?

If you have suggestions for improving this article,