Platform Administration and Architecture

Limit access to .XML, .XSLT, and .MRT files

Applies to

All core roles

Sitecore Installation Framework

Access is not limited by default.

Azure Toolkit

Access is not limited by default.

To improve the security of your Sitecore installation, you must edit the web.config file. This file is stored in the Website folder of your installation, for example at: C:\Inetpub\wwwroot\YourWebsite\Website.

To limit access to .XML, .XSLT, and .MRT files:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, add the following lines:

    <system.webServer>
    <handlers>
        <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
        <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
        <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
        <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>
    

This restricts access to all .XML, .XSLT, and .MRT files.

To allow a specific file path to be accessed in an unrestricted manner:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line, where sitemap.xml is the file you want to allow unrestricted access to:

    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />