Securing MongoDB (Brief Notes)

So, Sitecore uses MongoDB, a product that has an interesting approach to security. When you install it, by default, it doesn’t have any. By Default:

  • Mongo does not require authentication
  • Communication is unencrypted
  • In fact, if you can connect to it, you can bugger about with the data

This is, ahem, “suboptimal”. It is, however, possible to to set it up. Options:

  • Restrict IP address access at the firewall. Good practice, to be honest, and not covered here.
  • Configure to use SSL
  • Configure to use a username/password in connection strings

Continue reading “Securing MongoDB (Brief Notes)”

Securing MongoDB (Brief Notes)

Don’t forget to set a machine key

When deploying Sitecore, especially if you’ve got multiple Content Delivery servers, don’t forget to set a <MachineKey> in your web.config file.

The MachineKey is used to encrypt and secure the page’s ViewState. By default, the .NET framework uses that machine’s own MachineKey, but should your view state get sent to another content delivery server with a different key, well, then the ViewState will be invalid. That’s something of a problem.  Continue reading “Don’t forget to set a machine key”

Don’t forget to set a machine key

Example Sitecore Robots.txt

Just a note of example robots.txt file that I’m using in Sitecore:

User-agent: *
Disallow: /sitecore
Disallow: /Sitecore
Disallow: /sitecore_files/
Disallow: /sitecore modules/
Disallow: /App_Browsers/
Disallow: /App_config/
Disallow: /App_Data/
Disallow: /temp/
Disallow: /upload/
Disallow: /xsl/

Also, don’t forget to set up your Sitecore.Analytics.ExcludeRobots.config

Example Sitecore Robots.txt