Wednesday, September 16, 2015

Quick Tip: Don't Forget to Hide Views from Web Browsers

One item to add to your checklist before deploying a new XPages application is to remember to hide your views from web browsers. The last application I deployed used a DB2 backend for everything but we still used views to hold keyword documents and error messages. If you forget to hide them from the web, then users could use the address bar and type in the view name which could allow users to see data they are not intended to see. Another factor is those default views are cringe-worthy ugly.

I knew that hiding the views was easy, but it actually took me a while to find the setting. I expected to find it in the properties of the view but it isn't there. Of course my next step was to use google to find the answer but amazingly, I couldn't find anything. I started to compose a Stack Overflow question but discovered the answer while composing the question.

The property is in the design properties as shown below.

The design view also has a column that shows whether the view is visible on the web or not. In the XPages world, I can't think of a single reason why you would ever want to show a view to a web browser.

Edit: If you follow the best practice of separating your design and data into two NSF's then you don't have to worry about hiding your views, you would hide the whole database from direct web access. We used a single NSF because all of our data was in a relational backend so our data and design were already separate. Thanks to David Leedy and Jesse Gallagher for pointing this out.


  1. that is nice for new NSF's. but how do you know if views are not used in other applications?

  2. This only effects browsing the view using the direct URL, it does not have any effect on the use of that view in the current application or any other application. Sorry, I should have mentioned that.