Parameter:
DOMINO_CSP_POLICYShort description: Specific value of the
Content-Security-Policy header that Domino delivers when DOMINO_ENABLE_CSP=1 is active.Profile
Parameter | DOMINO_CSP_POLICY |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | CSP directive string, e.g. default-src 'self'; script-src 'self' 'unsafe-inline'; frame-ancestors 'self' |
Description
DOMINO_CSP_POLICY defines the exact content of the Content-Security-Policy HTTP header that the Domino HTTP stack adds to every response as soon as DOMINO_ENABLE_CSP=1 is set. CSP is a central protection mechanism against XSS, clickjacking, and data exfiltration: the browser receives an allowlist of permitted sources for scripts, styles, frames, images, fonts, etc., and rejects everything else.The policy must fit the application in use (classic Domino web, XPages, Verse, custom apps) – rules that are too strict will block legitimate functions, while rules that are too lax devalue the protection.
Example configuration
DOMINO_ENABLE_CSP=1 DOMINO_CSP_POLICY=default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'
Notes & pitfalls
- Only takes effect if
DOMINO_ENABLE_CSP=1is also set.
- Takes effect after
restart task http.
- For XPages/Verse,
'unsafe-inline'and'unsafe-eval'are often necessary – test incrementally withContent-Security-Policy-Report-Only.
- If a reverse proxy is in front, check whether the proxy already sets the header – a duplicate header leads to unexpected browser behavior.
- Complements
DOMINO_HSTS_HEADER,DOMINO_X_CONTENT_TYPE_OPTIONS,DOMINO_REFERRER_POLICY.