1. Hardening

Limit access to .XML, .XSLT, and .MRT files

Version:

To improve the security of your Sitecore installation, you must edit the web.config file. This file is stored in the Website folder of your installation, for example at: C:\Inetpub\wwwroot\YourWebsite\Website.

To limit access to .XML, .XSLT, and .MRT files:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, add the following lines:

    <system.webServer>
  <handlers>
    <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
    <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
    <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
    <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>

This restricts access to all .XML, .XSLT, and .MRT files.

To allow a specific file path to be accessed in an unrestricted manner, such as, /sitemap.xml:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line:

    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />
If you have suggestions for improving this article, let us know!