Sitecore Hardening - Limiting Access to .XML, .XSLT, and .MRT Files , Issues & how to fix it
There was a vulnerability reported related to robots.txt during a pen test. In this case, it has been detected that information is being disclosed about the path of the sitemap.xml file which list all the endpoints of the application. In the same vein, sitemap.xml reveals information about the features of the application's private section. To resolve the solution was to limit access to .xml files, which is suggested by Sitecore https://doc.sitecore.com/xp/en/developers/93/platform-administration-and-architecture/limit-access-to-xml,-xslt,-and-mrt-files.html But in spite of updating the web.config with the handlers mentioned below the Sitecore website was ignoring the handlers and still continuing to process the sitemap.xml like a normal request. <add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/> <add path="*.xslt