Secure the Telerik controls
Applies to |
All core roles. Note that instructions differ for Content Management. |
Sitecore Installation Framework |
Telerik controls are not disabled by default. |
Azure Toolkit |
Telerik controls are disabled by default. |
Sitecore uses some UI controls from Telerik. These controls are only used in a Content Management environment.
To reduce the attack surface area:
-
In all non-Content Management environments, in the
web.config
file, remove the following nodes:RequestResponse<add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" /> <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" /> <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
-
In a Content Management environment, you must configure the encryption key that is used to secure the Telerik upload control.
In the
web.config
file, in the appSettings section, create a node for the Telerik configuration encryption keys:For example:
RequestResponse<appSettings> <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" /> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" /> <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" /> </appSettings>
Replace the “YOUR_ENCRYPTION_KEY_HERE” placeholder text with a string of characters that are used to secure the Telerik controls.
The string should be a set of random characters and numbers, with a maximum length of 256 characters. We recommend that you use a minimum of 32 characters.
For more information, see the Telerik documentation.