If your Sitecore installation contains sensitive information that you want to protect, you can disable the Sitecore client RSS feeds.
RSS technology is designed so that users who follow an RSS link can come directly to the item specified in the URL of the RSS feed. Most RSS readers do not support authentication.
This means that users who subscribe to Sitecore client RSS feeds have direct access to the item specified in the URL of the feed and do not have to identify themselves to the Sitecore security system when they view the feed. However, the Sitecore security system verifies that they are authorized users when they try to perform any actions associated with the client feed.
If an unauthorized user gains access to the URL of a client RSS feed:
- They can follow the link and view all the content contained in the client feed even though their own security permissions do not give them access to this item.
- They cannot perform any actions on the content.
- They cannot view any other content.
- They cannot gain access to the user name or password of the original owner of the client feed.
- They cannot modify the link to gain access to any other content.
Sitecore users should not share client RSS feeds.
To disable Sitecore client
- Open the
- Locate the
<httpHandlers>section. Depending on your IIS pool, this section may be called
- Remove the following handler:
<add verb="*" path="sitecore_feed.ashx" type="Sitecore.Shell.Feeds.FeedRequestHandler, Sitecore.Kernel"/>
When you remove this handler, you disable all the client feeds that are available inside Sitecore. Any public RSS feeds that you have created are still available to website visitors.