Disable Edit and Preview Modes on your CD servers

A real quick post on something that stumped me and had me scratching my head last week. A colleague mentioned that when browsing the Production site with ?sc_mode=edit appended to the URL then the site would attempt to redirect the user to /sitecore/login page. In some cases it would cause an infinite redirect and cause the browser to throw a “redirected too many times error”.

In and of itself, it didn’t cause any security issues – the CM server was only accessible to our internal network and we had followed server hardening best practices and blocked access to the CMS interface on the CD servers (we actually just return a 404 rather than anything specific related to access denied).

We had also correctly followed the guide to configure a CD server so was pretty sure it was not related to having missed disabling a file.

So I asked on Slack if it was expected behaviour that appending ?sc_mode=edit would attempt to redirect to login page on the CD servers, I would have expected it to do nothing. Having then dug a little into the Context code, turns out there is a setting for this which we had completely overlooked.

Add the following patch on your CD servers (adding an entry for each site if they don’t use the inherits attribute):

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/" xmlns:set="http://www.sitecore.net/xmlconfig/set/">
  <sitecore>
       
    <sites>
      <site name="website" 
            set:enablePreview="false" 
            set:enableWebEdit="false"
            set:enableDebugger="false" 
            set:allowDebug="false" />
    </sites>
    
    <!-- This resolves a bug with Cross Site Links into multisite setup -->
    <settings>
      <setting name="Preview.ResolveSite" set:value="false" />
    </settings>

  </sitecore>
</configuration>

The notes in sitecore.config states the following:

enableDebugger: Indicates if the debugger is enabled on the site. Typically this is only the website.
enablePreview: Indicates if preview is enabled on the site. Typically this is only the website.
enableWebEdit: Indicates if WebEdit is enabled on the site. Typically this is only the website.
allowDebug: Must be true to be able to debug the site.

So this disables edit, preview and debug modes for your site, causing it to completely ignore those URL parameters.

Simple as that. I checked a few sites I know to be running on Sitecore and they had the same issue. Go check your site too, maybe you have not disabled this either, an easy one to overlook. It’s worth reviewing the other attributes and disabling as necessary while you are there.


Update 10/08/2017

Weird, weird bug. Setting enablePreview="false" breaks cross site links. Instead of the URL, it generates links with /sitecore/content/site/home/etc. So might want to hold off on this one. We’re running Sitecore 8.1 u3 but I have also verified on a clean 8.2 u4 instance. Have raised a Support ticket, ref #490518, will keep you updated on resolution.

Update 2

Sitecore Support got back to me in record time and suggested to set the following to false:

<setting name="Preview.ResolveSite" value="false" />

I have no idea why this would have anything to do with Link generation, but hey ho, seems to resolve this issue for now ¯\_(ツ)_/¯

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s