Security Issues to be taken care while configuring SharePoint Search for Public facing Portals - SharePoint
When search crawler [SPSCrawl.asmx and sitedata.asmx ] comes to a SharePoint site , how it gets to know whether it's a SharePoint site or a normal site ?
There is a custom header defined by Microsoft on SharePoint web applications : Name : MicrosoftSharePointTeamServices ; Value like : 14.0.0.4762
It tells crawler to dig to the item levels in SharePoint Lists , treat target as SharePoint Site.....
What if this custom header is removed on target ? :--> Search crawler will crawl up to list level only . If we use fiddler, while crawling site collection you could observe , there is no call made to SPSCrawl.asmx and sitedata.asmx by the crawler. This web application will no more be treated as SharePoint Website by Search crawl.
Now to make your site secure , you want that hackers may not get these custom headers , but search crawlers need it .
There is a way out , let your search crawl be targeted to a different web application than the public facing one !!!! And on public facing website use <clear /> under http response headers to hide from external world internal server information.
You may also like:
my website does not work well with newly released version…
Question : what is arpirowupdater.hxx ?
When search crawler [SPSCrawl.asmx and sitedata.asmx ] comes to a SharePoint site , how it gets to know whether it's a SharePoint site or a normal site ?
There is a custom header defined by Microsoft on SharePoint web applications : Name : MicrosoftSharePointTeamServices ; Value like : 14.0.0.4762
It tells crawler to dig to the item levels in SharePoint Lists , treat target as SharePoint Site.....
What if this custom header is removed on target ? :--> Search crawler will crawl up to list level only . If we use fiddler, while crawling site collection you could observe , there is no call made to SPSCrawl.asmx and sitedata.asmx by the crawler. This web application will no more be treated as SharePoint Website by Search crawl.
Now to make your site secure , you want that hackers may not get these custom headers , but search crawlers need it .
There is a way out , let your search crawl be targeted to a different web application than the public facing one !!!! And on public facing website use <clear /> under http response headers to hide from external world internal server information.
You may also like:
my website does not work well with newly released version…
Question : what is arpirowupdater.hxx ?
How customHeaders > Child element - " <clear />" screw up SharePoint out of Box features ? >>>
ReplyDeleteIt removes custom header defined by Microsoft on SharePoint web applications : Name : MicrosoftSharePointTeamServices ; Value : 14.0.0.4762
http://sharepoint.asia/my-website-does-not-work-well-with-newly-released-version-of-ie/
ReplyDeletewant to hide application pages on public facing portal ? http://sharepoint.asia/user-policy-to-restrict-form-authentication-users-from-visiting-application-pages-like-viewlsts-aspx/
ReplyDelete[…] may never want to expose underlying framework information through headers . Plan for that during initial stages , if it is a public facing site […]
ReplyDelete