Easy Way To Prevent Browsers From Hacking Into Views (take #2)

After the previous post, Nathan pointed out how simple it is to turn off JavaScript in the browser.

So okay, I should’ve thought of that. But after doing some testing and I found that the technique still prevents views from being accessed because even if JavaScript is disabled the user will only see a blank page.

Which got me thinking… it may be better to do it without any JavaScript by putting an HTTP META refresh in the HTML Head Content of the $$ViewTemplateDefault FORM with the formula:

"<meta http-equiv=\"refresh\" content=\"0;URL='/" + @WebDbName + "'\" />"

To recap: If a browser tried to hack your URL by guessing the name of a real view (ex. http://www/acme.com/db.nsf/all), Domino will try to use the default view template to display the view, but the META refresh will redirect the user back to the base URL of the NSF, which will force it to use the application’s launch property to take the user where you want them to be.

If the view name they try is not a real view in your database, they’ll get a different error that the design element does not exist. So, it might be a good idea also create a $$ReturnGeneralError FORM from a copy of the $$ViewTemplateDefault.

Advertisements

3 thoughts on “Easy Way To Prevent Browsers From Hacking Into Views (take #2)

  1. John McCann

    You can use an alias on a form so you don’t have to create copies. For example, in many database we have a “nice try” page with the form name of:

    $$ViewTemplateDefault | $$SearchTemplateDefault | $$NavigatorTemplateDefault

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s