SharePoint 2016 Central Admin - Security - Manage Web Part Security

When you click on the 'Manage Web part security link', you will land on Security for the web part's page. This page will allow you to manage the web part security settings for the pages.

Security for the Web part pages settings page’s direct link - /_admin/SPSecuritySettings.aspx

Web parts are the key components of  SharePoint, every page contains Web parts. The user can customize these Web parts and reuse them or create connection between the sites or user any other way. If there is no check and balance on the Web part, then you are opening the doors for a hacker to attack your farm or your farm’s performance is suffering.

As a SharePoint administrator, it is our responsibility to secure SharePoint environment. To secure the environment, we have to manage the Web part security, which includes allowing / disallowing the Web part connection, downloading the Web part from the online Web part galleries and allowing scriptable Web parts.

In central admin, we can manage these settings for each Web Application. These settings are the Web application level, which means all the site collection in that Web application will share the same settings. If you have more than one Web application, you have to configure for each Web application.

Configuration Options

There are 3 configuration options on the security from the Web part page.

  1. Web part connections
    In SharePoint, we can create a connection between the Web parts to display the data from the source to the destination. There are many operations, which can be performed, using the Web part connection option but we have to make the decision carefully. If the Web parts are not secured properly, then malicious information can be downloaded from the source to the destination. Another issue with enabling this option is it also impacts the performance.

  2. Online Web part gallery
    Enabling this option will allow the user to download the Web part from the online galleries. There is one requirement with which you are able to connect to online gallery but I am against this option, as the customer can download any Web part, which can cause major issue in your farm, a fake 3rd party Web part can contain some malicious code, which can attach to your farm. I would disable this option and then download the Web part and if need arises, then test it & verify before deploying it to the farm.

  3. Scriptable web parts
    This will allow the developer to add or edit a scriptable Web part. They can write the code, which can execute in theBrowser. This option is the one where we want to allow the contributor to add the scriptable Web part or not; i.e., content editor Web part.

Configure the settings

To configure the settings, please follow the below steps.

  • Login to central admin with an account, who is a part of farm administrator group.
  • On security for Web parts page, enter the following details

    1. Select the correct Web application for which you want to configure the Web part security.
    2. Web part connections- Select allows the users to create connections between the Web parts or prevents the users from creating connections between Web parts and helps to improve the security and performance.
    3. Online Web part gallery- Select allows the users to access the Online Web part gallery or prevents the users from accessing the Online Web part gallery and helps to improve security and performance.
    4. Scriptable Web parts- Select allows the contributors to add or edit the scriptable Web parts or prevent the contributors from adding or editing scriptable Web parts.
    5. Click OK to save the configuration.

Sometimes, we don’t know about the default settings. We can use the Restore defaults options,  which are available on the page.