Encryption & Decryption of parameter in URL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Hi All,
Looking for all your guidance how we can ensure parameter come in URL as a URL parameter from third party application to servicenow are secure means those are encrypted via third party and decrypt in ServiceNow with some mechanism.
If you feel other than encryption/decryption there are any other approach to ensure parameter value are not visible to user please let me know as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi,
Passing sensitive data directly in the URL query string is not recommended because:
It remains visible in browser history, logs, and network traces.
Even if encrypted, it can still expose patterns.
Better approaches in ServiceNow:
Use HTTPS (TLS):
Always ensure communication between the third-party app and ServiceNow is over HTTPS. This secures parameters in transit.
Use Request Body Instead of URL:
Instead of putting sensitive values in query parameters, send them in the request body (e.g., JSON payload via REST API). This is the best practice.
Encryption/Decryption Approach (if URL is mandatory):
Third party encrypts the value using a shared secret or certificate.
In ServiceNow, you can use the Encryption Support plugin or custom decryption logic in a Script Include (e.g., AES, RSA with GlideCrypto).
On page load or script execution, decrypt the parameter before use.
Use Access Tokens / One-time Identifiers:
Instead of passing actual sensitive values, pass a secure token or GUID. ServiceNow can then look up the actual value from a secure table using that token. This avoids exposing real data.
👉 In short: Don’t rely only on URL encryption. Best practice is to avoid sending sensitive info in query strings. Use HTTPS, request body, or tokens. If unavoidable, use shared key encryption and decrypt in ServiceNow with GlideCrypto or Script Include.
Thanks & Regards,
Muhammad Iftikhar,
If my response helped, please mark it as the accepted solution so others can benefit as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks for your suggestion . Yes what ever you said it is right to avoid URL parameter but in my scenario we can not avoid it & I like your below idea. Could you please give me more details how can we ca configure it. Didn't get much documentation on this.
In ServiceNow, you can use the Encryption Support plugin or custom decryption logic in a Script Include (e.g., AES, RSA with GlideCrypto).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Check Post and URL Parameter API to see if it suits your requirement,
Check below post for encodeURI() for similar function,
https://www.servicenow.com/community/itsm-forum/encode-encrypt-url-parameters/m-p/818375
If this helped to answer your query, please mark it helpful & accept the solution.
Thanks,
Bhuvan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thanks for your suggestion but those are not relevant here.
1. Edge encryption it is mainly used for Onprem to servicenow cloud security mechanism . Also it involves extra coinfiguration for proxy.
2. Second link mentioning to use encoded Uri component. Encoding & encryption are different aspects.
