IBM Support

Does Domino Web server use the X-Frame-Options header?

Technote (FAQ)


Does Domino Web server use the X-Frame-Options header?


The X-Frame-Options HTTP response header can be used to help control whether or not a browser can render a page in a <frame> or <iframe>. Admins can use this header to help avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Natively HTTP responses from the Domino Web server do not include the X-Frame-Options header.

An enhancement request to include this feature natively with Domino Web applications is being tracked under SPR BMKH8MRSPB.


As a workaround, Domino Administrators can utilize internet site website header rules to automatically append this header to every http response

The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page


DENY – prevents any site from framing the page

To use wildcards in the rule document, you must also include the following setting in the notes.ini



Utilize new notes.ini feature available starting in 9.0.1FP6
 HTTPAdditionalRespHeader=X-Frame-Options: SAMEORIGIN

See SPR MKIN9WMUYH for additional details on how to add 1 custom http header with a server notes.ini

Related information


Document information

More support for: IBM Domino
Web Server

Software version: 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1568598

Modified date: 29 October 2014