How To Disable Access To The Episerver Backend Edit/Admin Screens

In a lot of environments, it is very common to run EPiserver in a load balanced environment, with a master/slave configuration.  On the slaves/live web boxes, it's usually a good idea to disable access to the Episerver editor. 

A few people have blogged over the years how to disable certain config settings, however, there is an easier approach, adding a rule using Url Rewrite to cause a 404 anytime anyone tries to access the editor.  That rule would look like this:

  <rule name="Restrict Episerver access" stopProcessing="true">
    <match url="^episerver/?.*" />
    <action type="CustomResponse" statusCode="404" />

The rule basically says, that any request to, or anything else after /episerver then returns a 404.

Security wise this is good, as no one will be able to figure out if the site uses Episerver.  As you can see by the rule,  Also, the other benefit of this is that your continuous integration build process is similar as you'll need to transform a single variable.

In my example, my web.config would look like this in development:

    <rules configSource="" />


After a Ci transformation takes place, it will look like this on the live boxes:

    <rules configSource="rewriterules.config" />

I'd add my rule listed above within a file called rewriterules.config and check it into source control.  It's as simple as that!

submit to reddit

Jon D Jones

Software Architect, Programmer and Technologist Jon Jones is founder and CEO of London-based tech firm Digital Prompt. He has been working in the field for nearly a decade, specializing in new technologies and technical solution research in the web business. A passionate blogger by heart , speaker & consultant from England.. always on the hunt for the next challenge

Back to top