Parameter:
HTTPDisableXFrameOptionsShort description: Disables automatic setting of the
X-Frame-Options response header by the Domino HTTP task.Profile
Parameter | HTTPDisableXFrameOptions |
Category | HTTP / Web |
Component | Server |
Available since | 9.0 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Web Site / Internet Site document |
Possible values | 0 = set X-Frame-Options (default, recommended), 1 = do not set |
Description
Domino sets
X-Frame-Options: SAMEORIGIN by default to prevent clickjacking via embedding in foreign IFrames. In special embedding scenarios (e.g. Notes web parts in a portal), this can be a problem. HTTPDisableXFrameOptions=1 disables the setting of this header by the HTTP task – the application or an upstream reverse proxy then has to provide the protection itself via X-Frame-Options or Content-Security-Policy: frame-ancestors.Example configuration
HTTPDisableXFrameOptions=0
Notes & pitfalls
- For production, Internet-facing servers, do not leave it permanently at
1without replacement protection via CSP / reverse proxy.
- Modern browsers prefer
Content-Security-Policy: frame-ancestorsoverX-Frame-Options– ideally configure it in addition.
- Takes effect after an HTTP restart (
tell http restart).
- Often confused with embedding requirements from iNotes/Verse integrations; review the use case beforehand.