IBM Support

Does Domino Web server use the X-Frame-Options header?

Technote (FAQ)


Question

Does Domino Web server use the X-Frame-Options header?

Cause

The X-Frame-Options HTTP response header can be used to help control whether or not a browser can render a page in a <frame> or <iframe>. Admins can use this header to help avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Natively HTTP responses from the Domino Web server do not include the X-Frame-Options header.

An enhancement request to include this feature natively with Domino Web applications is being tracked under SPR BMKH8MRSPB.


Answer

As a workaround, Domino Administrators can utilize internet site website header rules to automatically append this header to every http response


The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page

and

DENY – prevents any site from framing the page

To use wildcards in the rule document, you must also include the following setting in the notes.ini

HTTPAllowRedirectWildcards=1


OR


Utilize new notes.ini feature available starting in 9.0.1FP6
 HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN

See SPR MKIN9WMUYH for additional details on how to add 1 custom http header with a server notes.ini

Related information

SPR MKIN9WMUYH

Document information

More support for: IBM Domino
Web Server

Software version: 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1568598

Modified date: 29 October 2014