Parameter:
DOMINO_ENABLE_CSPShort description: Enables sending of the
Content-Security-Policy header by the Domino HTTP stack (counterpart to HSTS).Profile
Parameter | DOMINO_ENABLE_CSP |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = no CSP header (default), 1 = send CSP header (value from DOMINO_CSP_POLICY) |
Description
DOMINO_ENABLE_CSP is the master switch for the Content-Security-Policy header (CSP) in the Domino HTTP stack. If the value is 1, Domino appends the CSP header defined in DOMINO_CSP_POLICY to every HTTP response. CSP is a modern browser protection mechanism against XSS, clickjacking, and content injection – only the explicitly listed sources are allowed.This parameter sets the header generically for all content delivered by the Domino HTTP stack (classic web, XPages, REST, Verse) – unless an upstream reverse proxy already sets a CSP header.
Example configuration
DOMINO_ENABLE_CSP=1 DOMINO_CSP_POLICY=default-src 'self'; script-src 'self' 'unsafe-inline'; frame-ancestors 'self'
Notes & pitfalls
- Without a set
DOMINO_CSP_POLICY, an empty/default header is sent – always configure both parameters.
- Takes effect after
restart task http.
- For testing, first use
Content-Security-Policy-Report-Only(via reverse proxy) before hard-enabling it in production.
- With an upstream reverse proxy, set it either here or there, never both – duplicate headers confuse browsers.
- Complements
DOMINO_HSTS_HEADER,DOMINO_X_CONTENT_TYPE_OPTIONS,DOMINO_REFERRER_POLICY,DOMINO_PERMITTED_CROSS_DOMAIN_POLICIES.