Easy Way To Prevent Browsers From Hacking Into Views

The other day I saw a post from Steve Zavocki “Quick Tip: Don’t Forget to Hide Views from Web Browsers”  (http://notesspeak.blogspot.com/2015/09/quick-tip-dont-forget-to-hide-views.html) which reminded me of a technique I’ve used on XPages applications to restrict anyone from guessing a view name to peek at the data.

One line of JavaScript does it!

Simply create a $$ViewTemplateDefault FORM with a Computed Text element with the formula:

"<script>window.location=\"/" + @WebDbName +"\";</script"

Important: WordPress gave me a hard time about displaying script tags. You can copy this code directly, but will need to add a closing angle bracket (>) before the final quotation mark.

Then highlight the Computed Text and mark it as Pass-Thru HTML. Finally, save the form.

Any time a browser tries to open a view by guessing a name (ex. http://www.acme.com/db.nsf/all?OpenView), the browser will be redirected to the database name (in our example: http://www.acme.com/db.nsf), which then uses the Application Property on the Launch tab for “When opened in a browser” to direct it where you want users to go by default. It’s nice because this protects all your views in this database. Plus since the formula uses the @WebDbName function, you can copy this form and use it in any database.

( And if you are using some traditional web views in this same application, you can create specific a $$ViewTemplate for each of them.)


Update 09/21/2015  –  Thanks Nathan, for the reminder about how simple it is to disable JavaScript.  The above technique still prevents views from being accessed because if JS is disabled, the blank form is displayed to the user.

Alternatively, we can do it without JavaScript by using the HTTP META refresh in the HTML Head Content with this formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"


5 thoughts on “Easy Way To Prevent Browsers From Hacking Into Views

    1. Yes, being able to keep data out of the XPages app’s .nsf is the best way to go when you can, especially when you have an external server accessible from the internet that accesses the data from a Domino server inside the firewall.

      Where this technique can be useful is for those working Domino servers environments that aren’t exactly as well thought out.


    1. Nathan, My first thought when I saw your reply was “Ouch! He instantly found a way around it.” But then I tested it and even with JavaScript disabled, it leaves you staring at a blank page (because there is nothing on the form) – so, it still achieves the goal of preventing access to any views.

      Since you got me thinking, I also tried a doing this with the HTTP META tag refresh which has the advantage that it works even when JS is disabled. (I’ll add that in the posting, above.)

      But are there other holes I might be missing?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s