So, Sitecore uses MongoDB, a product that has an interesting approach to security. When you install it, by default, it doesn’t have any. By Default:
- Mongo does not require authentication
- Communication is unencrypted
- In fact, if you can connect to it, you can bugger about with the data
This is, ahem, “suboptimal”. It is, however, possible to to set it up. Options:
- Restrict IP address access at the firewall. Good practice, to be honest, and not covered here.
- Configure to use SSL
- Configure to use a username/password in connection strings
Continue reading “Securing MongoDB (Brief Notes)”
When deploying Sitecore, especially if you’ve got multiple Content Delivery servers, don’t forget to set a <MachineKey> in your web.config file.
The MachineKey is used to encrypt and secure the page’s ViewState. By default, the .NET framework uses that machine’s own MachineKey, but should your view state get sent to another content delivery server with a different key, well, then the ViewState will be invalid. That’s something of a problem. Continue reading “Don’t forget to set a machine key”
I’ve seen a few projects recently where Session State Management in Sitecore had been ignored a bit, despite the systems having multiple servers. Continue reading “Consider your Session State Management”
It would appear that Sitecore’s mail settings are, mostly, in a handful of settings in web.config. At one level, they are, and a simple patch file can be used to set them for your system. For example… Continue reading “Annoying Sitecore Email Settings”
Just a note of example robots.txt file that I’m using in Sitecore:
Disallow: /sitecore modules/
Also, don’t forget to set up your Sitecore.Analytics.ExcludeRobots.config