Sitecore’s Minimum Security Settings

This article is for minimum security settings that every sitecore’s production website including real estate and campaigns should have although for detailed security settings you may consider security cookbook guide from sitecore.

Version Disclosure (ASP.NET)

Version header could be helpful for hackers to exploit the know loopholes of specific version of


Set enableVersionHeader to false in web.config as

<httpRuntime maxRequestLength="512000" executionTimeout="600" enableKernelOutputCache="false" enableVersionHeader="false" />

Password Policy

By default sitecore’s password policy is too weak that it can accept only one character as password that could lead to none authorized access as some of the passwords would be easy guessable.

Don’t forget to change password for default admin user with well known password b


To implement password policy as required, here we are applying not too complex but strong enough to be called secured credentials, Find System.Web.Security.SqlMembershipProvider in web.config file and update below mentioned attributes

  • minRequiredPasswordLength=”6″
  • minRequiredNonalphanumericCharacters=”1″
  • maxInvalidPasswordAttempts=”5″

After update configuration element would be like below.

<add name="sql" type="System.Web.Security.SqlMembershipProvider" connectionStringName="core" applicationName="sitecore" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="1" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" />

Encrypt View State

View state could reveal application’s state management logic which might have known/identified vulnerabilities to be exploit and in case if you stores application-critical information in ViewState that could also be revealed. Lastly but not least unencrypted and long characterized viewstate would also increase page size.


In order to encrypt viewstate we need to update viewStateEncryptionMode to Always in web.config as shown below.

<pages validateRequest="false" viewStateEncryptionMode="Always">

Form Autocomplete

All form in website should have auto-complete attribute off because most of the browser and extensions have feature that will save form field data so that next time will auto-populate the field when default this feature is enabled and could expose sensitive informations because these informations are stored on user’s hard-drive. Specially for “/sitecore/login/changepassword.aspx”, “/sitecore/login/passwordrecovery.aspx” and “/sitecore/login”


Go to sitecore IIS instance and navigate to “sitecore > login” folder where you would have default sitecore’s Forms “changepassword.aspx”, “passwordrecovery.aspx” and “default.aspx” Find tags and add “autocomplete=”off”” attribute as below

<form id="LoginForm" runat="server" autocomplete="off">

If you have any other custom form with sensitive information then please also add this attribute to these forms.

Unencrypted OPTIONS Method

Option method in header provides a list of supported methods by web server such as Trace, Get, Head and Post etc.

If hacker have information that which methods are supported that might be useful for more specific and advance attack attempt

HTTP/1.1 200 OK
Date: Fri, 05 Jun 2015 04:31:29 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 0

It’s recommended to disable OPTION method on production web server


Add configurations to deny “OPTIONS” from response in web.config just authorization tags given below before closing tag line

<authorization><deny verbs="OPTIONS" users="*" /></authorization>

Cross Site Scripting (XSS)

If your application is taking any data from user or query string for processing then you should consider this vulnerability.Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user on his behalf. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.


You should validate and encode if rendering directly, also beware not to directly use in queries as it may work for sql injection too. Simple approach would be to encode as below other approaches and filters depends on your input

String inputString = Server.UrlDecode(WebUtil.GetQueryString("searchTerm"));
String encodedInputString = HttpContext.Current.Server.HtmlEncode(inputString);


Clickjacking also known as User Interface redress attack, UI redress attack or UI redressing is a malicious technique of tricking a user to click on something different from what he perceives or intended to click. I would also like to mention examples and known exploits for better understanding.

  • Tricking users into enabling their webcam and microphone through Flash (though this has since been fixed since originally reported)
  • Tricking users into making their social networking profile information public
  • Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers.
  • Making users follow someone on Twitter
  • Sharing or liking links on Facebook
  • Getting likes on Facebook fan page[15] or +1 on Google Plus
  • Clicking Google Adsense ads to generate pay per click revenue
  • Playing YouTube videos to gain views
  • Following someone on Facebook


To enable the clickjacking security measure against any attack find tag in web.config file then insert below configurations under above tag.

  	<add name="X-Frame-Options" value="SAMEORIGIN" />

Expose email address (mailto) on website

Most of the website have email address on web pages which could be exploited by spammers and marketing agencies for their campaigns.They captures relevant content from internet through their application then normally crawls for email address.


You should encode/encrypt your email address that could not be easily readable for crawlers but targeted audience.

<a class="emailtxt" data-email=" info [at] transformsaudi [dot] com" style="cursor:pointer" onclick="linkTo_UnCryptMailto();"></a>

Error Mode

If custom error mode is Off or debug is enabled then some information about application logic could be revealed that might be useful for hackers. Also gives ugly impact on visitors.


You should have custom error pages for 404,500 and General Error which includes all other error codes as per your requirements only enable “RemoteOnly” mode while need to debug on production instance.

Understanding new facts, it turns out, depends on already having enough background knowledge to be able to make sense of the new facts