Limit access to .XML, .XSLT, and .MRT files

Abstract

Improve the security of your installation by limiting the access to .XML, .XSLT, and .MRT files.

To improve the security of your Sitecore installation, you must edit the web.config file. This file is stored in the Website folder of your installation, for example at: C:\Inetpub\wwwroot\YourWebsite\Website.

To limit access to .XML, .XSLT, and .MRT files:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, add the following lines: 

    <system.webServer>
  <handlers>
    <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
    <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
    <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
    <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>

This restricts access to all .XML, .XSLT, and .MRT files.

To allow a specific file path to be accessed in an unrestricted manner, such as, /sitemap.xml:

  1. Open the web.config file.

  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line: 

    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />