WCM tip #26: Disallow Master Page override

When building public-facing websites with SharePoint 2013 you should disallow anonymous users from overriding the Master Page on your website.

One of the new capabilities provided with SharePoint 2013 are Composed Looks. With Composed Looks you can change the look and feel of your website. When specifying a composed look for your website you can select a Master Page. Before you apply it, SharePoint 2013 allows you to preview it first. This is great, as it allows you to ensure that the look you are going to apply is the look that you want, except for the fact that by manipulating the URL of your public-facing website your visitors can apply another Master Page to your website as well!

The bad news is that there is no way in SharePoint 2013 to disable the Master Page preview capability available out of the box. If you would like to preserve the capability for your webmasters and only disallow your visitors from using it, you would need to develop a custom HTTP Module that would dynamically allow access to this functionality. If you don’t care for using it at all, you might use a simple IIS URL Rewrite rule that would disallow including this query string parameter in the URL.