ShowTable of Contents
In a XPages application you might want to ensure that only your XPages elements are being used to access data.
Here are some tips to disable elements of classic Domino web development.
No Notes form is needed in the web, since the XPages are providing the UI.
Enable the "hide design element from: web browsers" property for all forms.
Or, if you some forms has to be visible to web browsers, make sure that they display only the information you want them to display. Do not rely on that users only work with our XPages, since a simple ?EditDocument command uses the plain form again.
Prevent web user from accessing views directly
Create a $$ViewTemplateDefault form which is blank or just contains a message like "Nothing to see here".
Set form formula in the 0 view
Create a view named "0". Set form formula to a form which is just blank.
Set the "hide design elements from: web browsers" properties on all views not needed in the web.
Block a XPage from users not having a role
X-Page -> All Properties -> rendered
var v:Array = database.queryAccessRoles(session.getEffectiveUserName());
As an alternative you could redirect to another page in BeforePageRendered event of the XPage using context.redirect() when the user does not have the role.
Check your agents
- Check which agents are available from the web.
- Check with which ID your agents are running if they are executed from the web. A standard agent runs with the ID with which it is signed. Check for the property "run as web user", this makes the agent run with the rights of the current web user.
Check what your application does on certain URL commands
There are many URL commands in Domino. Check if your application does what it should on these commands:
You can create some redirection rules for your Global Web Settings (found in internet sites in your Domino Directory) so that these potential dangerous URLs are redirected to some error page.
Here is an example: