By default, each StoreFront 6.0 web store contains CompileSite.aspx and ReloadXML.aspx pages in its root folder. One of these pages -- ReloadXML.aspx -- is used to reload the server-resident in-memory XML document that stores some of the data used by the web store, while the other -- CompileSite.aspx -- is used to compile the .vb files which reside in the web store, making them a part of the site's StoreFront.DLL assembly.
These files are openly browsable by default, which has caused some users to speculate that they may represent a security risk. This article is intended to address these concerns.
Securing ReloadXML.aspx
In actuality, ReloadXML.aspx does not represent a security risk. The file can be called to reload the XML document used by StoreFront 6 web stores as a storage area for some data items; however, the resources required to process this request are not so great as to severely affect the performance of the server hosting the page. Nor does reloading the store's XML have any effect on the shopping sessions of users currently browsing the store.
Securing CompileSite.aspx
When CompileSite.aspx is called, it compiles the .vb files which reside in the store, adding them to the StoreFront.DLL assembly. This is a comparatively resource intensive operation. Any users browsing the store at the time when the compilation is performed will also lose their shopping sessions and will be required to start over. For these reasons, it may be worthwhile for web store owners to take one of the following measures to limit access to this file:
Rename CompileSite.aspx: you can rename CompileSite.aspx to something more obscure, ensuring that only users who know the name of the file can access it.
Password-protect CompileSite.aspx: your host can configure the permissions on this file to require users to authenticate before they will be allowed to access it.
Either of these steps will greatly reduce the likelihood that an unauthorized user will be able to access CompileSite.aspx.
Note: renaming or password-protecting CompileSite.aspx will remove your ability to use the Compile Components option from the StoreFront 6.0 menu of Dreamweaver or FrontPage. Instead, you must view CompileSite.aspx in a browser to compile your store's .vb files.
