Parameter:
HTTPDisableAuthBasicShort description: Disables HTTP Basic Authentication on the Domino HTTP task, so that only session-/form-/SSO-based authentication remains possible.
Profile
Parameter | HTTPDisableAuthBasic |
Category | HTTP / Web |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document |
Possible values | 0 = Basic Auth allowed (default), 1 = disabled |
Description
HTTP Basic Authentication transmits username and password on every request – Base64-encoded, but not encrypted. This enlarges the attack surface for credential sniffing and makes replay attacks easier.
HTTPDisableAuthBasic=1 turns off Basic Auth on the HTTP task; what remains is session login (cookie) and SSO mechanisms such as LTPA, SAML, or OIDC.Example configuration
HTTPDisableAuthBasic=1
Notes & pitfalls
- Applications that use Basic Auth via
curl, REST clients, or older Notes/iNotes components will break – inventory beforehand.
- Reverse proxies / load balancers that terminate Basic Auth themselves remain unaffected, provided they pass SSO/session to the Domino server behind them.
- The Domino REST API and Notes Traveler support token/session-based authentication; plan migration beforehand.
- Takes effect after an HTTP restart (
tell http restart).