Tuesday, August 8, 2017

Code Your Way Corner Disable Edit and Preview Modes on your CD servers

A genuine brisk post on something that confused me and made them scratch my head a week ago. A partner said that when perusing the production site with ?sc_mode=edit attached to the URL then the site would endeavor to divert the client to /Sitecore/login page. Sometimes, it would cause an unending sidetrack and make the program toss a "diverted too often mistake".

All by itself, it didn't cause any security issues – the CM server was just open to our interior system and we had taken after server solidifying best practices and blocked access to the CMS interface on the Compact disc servers (we in reality simply restore a 404 as opposed to anything particular identified with getting to denied).

We had additionally effectively followed manual for designing a CD server so was almost certain it was not identified with having missed debilitating a file.

So I inquired as to whether it was normal conduct that adding ?sc_mode=edit would endeavor to divert to the login page on the CD servers, I would have anticipated that it would do nothing. Having then delved a little into the Setting code turns out that there is a setting for this which we had totally ignored.

Include the accompanying patch your CD servers (including an entry for each site if they don't utilize the inherits attribute):



 <configuration xmlns:patch="http://ift.tt/1lHcKTh" xmlns:set="http://ift.tt/2mgHMLB">  
<sitecore>
<sites>
<site name="MJProdWebSite"
set:enablePreview="false"
set:enableWebEdit="false"
set:enableDebugger="false"
set:allowDebug="false"
/>
</sites>
</sitecore>
</configuration>

The notes in sitecore.config states the following:

enableDebugger: Shows if the debugger is enabled on the site. Ordinarily, this is just the website. 

enablePreview: Shows if the preview is enabled on the site. Normally this is just the website. 

enableWebEdit: Shows if WebEdit is enabled on the web page. Normally this is just the website. 


allowDebug: Must be true if you want to troubleshoot the website.


So this impairs edit, preview and troubleshoot modes for your site, making it totally disregard those URL parameters.

Straightforward as that. I checked a couple of Websites I know to be running on Sitecore and they had a similar issue.

Query String ?sc_mode=edit
This is home page for site and before sending request to server with ?sc_mode=edit as query-string

After sending the Request parameters it redirects to Sitecore login as below.




Go check your production site as well, perhaps you have not handicapped this either, a simple one to disregard. It merits evaluating alternate attributes and crippling as vital while you are there.



via MJ-Space

Other Sites :
Code Your Way | Travel Guide

No comments:

Post a Comment