Secure the Telerik controls

Current version: 9.1

Applies to

All core roles. Note that instructions differ for Content Management.

Sitecore Installation Framework

Telerik controls are not disabled by default.

Azure Toolkit

Telerik controls are disabled by default.

Sitecore uses some UI controls from Telerik. These controls are only used in a Content Management environment.

To reduce the attack surface area:

  1. In all non-Content Management environments, in the web.config file, remove the following nodes:

    <add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
    <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
    <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
  2. In a Content Management environment, you must configure the encryption key that is used to secure the Telerik upload control.

    In the web.config file, in the appSettings section, create a node for the Telerik configuration encryption keys:

    For example:

        <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
        <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" />
        <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />

    Replace the “YOUR_ENCRYPTION_KEY_HERE” placeholder text with a string of characters that are used to secure the Telerik controls.

    The string should be a set of random characters and numbers, with a maximum length of 256 characters. We recommend that you use a minimum of 32 characters.

For more information, see the Telerik documentation.

Do you have some feedback for us?

If you have suggestions for improving this article,