Secure the Telerik controls

Last updated Wednesday, June 28, 2017 in Sitecore Experience Platform for Administrator, Developer
Keywords: Security

Sitecore uses some UI controls from Telerik. These controls are only used in a Content Management environment.

To reduce the attack surface area:

  1. In a Content Delivery environment, in the web.config file, remove the following nodes:
    <add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
    <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
    <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
  2. In a Content Management environment, you must configure the encryption key that is used to secure the Telerik upload control.

    In the web.config file, in the appSettings section, create a node for the Telerik configuration encryption key and enter a "STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP":

    For example:

    <appSettings>
        <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="STRONG-RANDOM-VALUE-UNIQUE-TO-YOUR-APP" />
    </appSettings>

For more information, see the HYPERLINK "http://docs.telerik.com/devtools/aspnet-ajax/controls/asyncupload/security" Telerik documentation.