Sitecore.Services.Client security

Current version: 9.0

The EntityService and the ItemService use the Web API ActionFilters ActionFilters to determine whether they handle or reject a request.

Sitecore.Services.Client provides two layers of security:

  • A security policy that applies to all Sitecore.Services.Client requests.

  • Individual filters that can add additional requirements on requests that are to be executed.

The ItemService has some additional security settings:

  • Request security context – Requests to the ItemService run in the context of the current Sitecore user.

  • Two routes for authentication:

    • auth/login

    • auth/logout

    You must make requests to auth/login over HTTPS.

    When you make requests to this route from JavaScript, you must load the whole page over HTTPS to avoid the request failing because it is Cross-Origin.

  • Anonymous access

    The default is that the extranet\Anonymous user does not have access to the ItemService. You change this behavior with the Sitecore.Services.AllowAnonymousUser setting in the Sitecore.Services.Client configuration file.

    When you set Sitecore.Services.AllowAnonymousUser to true, the ItemService executes anonymous requests in the security context of the user defined in the Sitecore.Services.AnonymousUser configuration setting. By default, such requests run as the sitecore\ServicesAPI user, using user impersonation.


When using the Federated Experience Manager (FXM), ensure the Security database on the CD instance is enabled.

Security policies

Sitecore.Services.Client ships with three security policies:

  • Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOffPolicy: This policy denies access to all Entity and ItemServices.

  • Sitecore.Services.Infrastructure.Web.Http.Security.ServicesLocalOnlyPolicy: This policy denies access to all Entity and ItemServices from requests originating from remote clients.

  • Sitecore.Services.Infrastructure.Web.Http.Security.ServicesOnPolicy: This policy allows access to all Entity and ItemServices.

You configure a security policy with the Sitecore.Services.SecurityPolicy setting in the Sitecore.Services.Client.config file. The default value is ServicesLocalOnlyPolicy.

You can create custom security policies by implementing the Sitecore.Services.Infrastructure.Web.Http.Security.IAuthorizePolicy interface and specifying the custom class name in the Sitecore.Services.SecurityPolicy configuration setting.

Exclude controllers from security policies

You can exclude controllers from the security policy you use. To do this, add an allowedController element under api/services/configuration/allowedControllers in the Sitecore.Services.Client.config file.

Authorization filters

The sitecore/api/configuration/filters section in the Sitecore.Services.Client.config configuration file defines what action filters Sitecore.Services.Client installs.

It installs the following filters by default:

  • Sitecore.Services.Infrastructure.Web.Http.Filters.AnonymousUserFilter

    This filter ensures that the requests to the ItemService respect the configuration settings for unauthenticated users.

  • Sitecore.Services.Infrastructure.Web.Http.Filters.SecurityPolicyAuthorisationFilter

    This filter runs the security policy defined in the Sitecore.Services.SecurityPolicy configuration setting.

  • Sitecore.Services.Infrastructure.Web.Http.Filters.RequireHttpsFilter

    This filter makes HTTPS mandatory for all Web API requests to the site. It is commented out by default.

  • Sitecore.Services.Infrastructure.Web.Http.Filters.ServicesRequireHttpsFilter

    This filter makes HTTPS mandatory for all EntityService and ItemService requests. It is commented out by default.

Custom authorization filters

To create a custom authorization filter:

  • Derive a filter class from System.Web.Http.Filters.AuthorizationFilterAttribute and override the OnAuthorization(HttpActionContext actionContext) method.

  • Add the new filter class definition to the sitecore/api/configuration/filters section in the Sitecore.Services.Client.config configuration file.

Do you have some feedback for us?

If you have suggestions for improving this article,