Limit access to XML, XSLT, and MRT files

Abstract

How to limit access to XML, XSLT, and MRT files on your Sitecore implementation.

Applies to

All core roles

Sitecore Installation Framework

Access is not limited by default.

Azure Toolkit

Access is not limited by default.

To improve the security of your Sitecore installation, edit the web.config file with general Sitecore settings, and disable the web.config file with EXM settings.

To limit access to XML, XSLT, and MRT files:

  1. Open the web.config file with general Sitecore settings. This is stored in the top-level folder of your installation, or in the Website folder.

  2. In the <system.webServer><handlers> section, add the following lines:

    <system.webServer>
    <handlers>
        <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
        <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
        <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
        <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>
    

    This restricts access to all XML, XSLT, and MRT files.

  3. Disable the web.config file that has EXM settings. This is in the \sitecore modules\Shell\EmailCampaign\ folder.

Allow unrestricted access to a specific file path

After you have disabled the general access to XML, XSLT, and MRT files, you might want to allow access to specific files.

To allow the files for a specific file path to be accessed in an unrestricted manner:

  1. Open the web.config file with general Sitecore settings.

  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line, where sitemap.xml is the file you want to allow unrestricted access to:

    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />