Harden Security for your Sitecore Client Applications

tl;dr; Ensure you include an Assert.CanRunApplication(“/path-to-application”) check in your custom application to enforce security

Have you created any customs application in Sitecore? Do you use Sitecore Roles to restrict access to those applications?

Often only certain roles should have access to certain pieces of functionality, which is fairly standard requirement, and a common way to restrict access to applications is to remove Read access to the item in the Core Database.

Take for example default out of the box Sitecore applications such as the Indexing Manager. Your average author really should not have access to this more developer centric functionality. And if they did, then nothing too bad could happen, they’d just be able to kick off the re-indexing process. Nothing too bad, but it would be both unexpected and use up server resources for no particular reason.

Read More