Limit access to .XML, .XSLT, and .MRT files

Last updated Monday, July 10, 2017 in Sitecore Experience Platform for Administrator, Developer
Keywords: Security

To improve the security of your Sitecore installation, you must edit the web.config file. This file is stored in the Website folder of your installation, for example at: C:\Inetpub\wwwroot\YourWebsite\Website.

To limit access to .XML, .XSLT, and .MRT files:

  1. Open the web.config file.
  2. In the <system.webServer><handlers> section, add the following lines:
        <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>
        <add path="*.xslt" verb="*" type="System.Web.HttpForbiddenHandler" name="xslt (integrated)" preCondition="integratedMode"/>
        <add path="*.config.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="config.xml (integrated)" preCondition="integratedMode"/>
        <add path="*.mrt" verb="*" type="System.Web.HttpForbiddenHandler" name="mrt (integrated)" preCondition="integratedMode"/>

This restricts access to all .XML, .XSLT, and .MRT files.

To allow a specific file path to be accessed in an unrestricted manner, such as, /sitemap.xml:

  1. Open the web.config file.
  2. In the <system.webServer><handlers> section, before the handlers that limit access, add the following line:
    <add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />
Send feedback about the documentation to