Protecting your Domino servers from the clickjacking hack
There is a hack called clickjacking that can happen on web servers, including Domino. Here are the details on how clickjacking can impact web sites.
For example let’s say users connect to the mail server via the URL https://mail.companyxyz.com.
This site can be included on a webpage with an iframe containing the following <iframe src=”https://mail.companyxyz.com/” width=”500″ height=”500″></iframe>
The way you mediate this hack depends on the release level of the Domino server.
For any servers running 9.0.1 FP6 or higher, the following notes.ini variable can be set. It just requires an end and restart of HTTP for this change to take effect.
For servers running earlier versions of Domino, those servers can be switched to use Internet Sites documents and then a Web Site Rule can be created that specifies a custom header with the x-frame-options header set to SAMEORIGIN.
If you haven’t enabled your server to use Internet Sites, edit the server document and specify “Enabled” for field ‘Load Internet configurations from Server\Internet Sites documents’.
Next create a Web Internet Site document, specifying the values appropriate for your site. In the Web Site document, click Web Site -> Create Rule, select “HTTP response headers” for the ‘Type of rule’. Under ‘Custom headers’, enter “X-Frame-Options” for the Name and “SAMEORIGIN” for Value and place a checkmark next to “Override“.
Whether you have enabled the notes.ini variable on a 9.0.1 FP6 or higher server or enabled the capability through a Web Site Rule in an Internet Site document, end and restart the HTTP task for prevention of clickjacking on your Domino server to be enabled.
Here is a technote for reference: http://www-01.ibm.com/support/docview.wss?uid=swg21568598