Parameter:
HTTPEnableConnectorHeadersShort description: Allows acceptance of connector headers (e.g.
$WSRA for reverse-proxy SSO).Profile
Parameter | HTTPEnableConnectorHeaders |
Category | Security / TLS |
Component | Server |
Available since | R8 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5 |
GUI equivalent | Server document (HTTP → Web Engine) |
Possible values | 0 = disabled (default since security fix), 1 = enabled |
Description
Domino can evaluate so-called connector headers (
$WSRA, $WSRH, $WSAT, …) that an upstream reverse proxy or load balancer sets. This makes it possible, for example, to pass the original client IP, a pre-authenticated user name (SSO), or the authentication method used through to Domino.For security reasons, evaluation is disabled by default – an attacker with direct access to the Domino HTTP port could otherwise assume arbitrary identities by setting these headers.
Example configuration
HTTPEnableConnectorHeaders=1
Notes & pitfalls
- Never enable when the Domino HTTP port is directly reachable from the Internet or the internal network – this would lead to an authentication bypass.
- Only use in combination with a trusted reverse proxy that mandatorily sets the headers and overrides any existing ones.
- Required for many Verse, SafeLinx, and single sign-on setups.
- Default value after the security hotfix is
0– do not set it to1blindly.
- The change only takes effect after a restart of the HTTP task.