Exploring High Security Settings
High Security Settings refer to several security options available in your instance.
The High Security Settings module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, see Requesting High Security Settings activation. To learn more about this plugin, see Enable High Security Plugin [Updated in Security Center 1.3] in Instance Security Hardening Settings. Properties for these types of high security settings are available:
- Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
- Default deny property: Provides a security manager property to control the default security behavior for table access.
- Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
- Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
- Property access controls: Allows security administrators to set the roles required to read and write properties.
- System logs: Are read only.
- Access control rules: Control what data users can access and how they can access it.
- High Security Settings also automatically activates the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance.
- The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the ServiceNow AI Platform.
- To learn more about each of these properties, see Hardening settings.
- Navigate to .
Options on the High Security Properties page are Yes or No.
- Navigate to the sys_properties.list and search for the property you want to set or change.
Options in the System Properties table [sys_properties.list] are true or false.
Property access control
Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:
- read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
- write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.
Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them.
Notifications
Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.
High Security Settings properties
| Property | Description | Default Value | Instance Security Hardening Settings |
|---|---|---|---|
| glide.ui.escape_text | Escape XML values at the parser level for the user interface. Prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal. Remarque : This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support. |
Yes | Escape XML markup [Updated in Security Center 1.3] |
| glide.ui.escape_all_script | Forces all expressions within Jelly JavaScript |
Yes in new instances | Escape jelly script [Updated in Security Center 1.3 and 1.5] |
| glide.ui.rotate_sessions | Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers. |
Yes Remarque : If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this property to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider. |
Rotate HTTP session identifiers |
| glide.ui.secure_cookies | Enable secure session cookies: Enable additional cookie security. If Yes, strict session cookie validation is enforced. |
Yes | Enforce strict security of session cookies [Updated in Security Center 1.3] |
| glide.security.password_reset.uri | For mobile Password Reset, URL that the user is taken to when the user clicks the Forgot password? button. |
None | |
| glide.security.strict.updates | Double-check security on inbound transactions during form submission (rights are always checked on form generation). Remarque : This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support. |
Yes | Double check inbound transactions [Updated in Security Center 1.3] |
| glide.security.strict.actions | Check conditions on UI actions before execution. Normally conditions are checked only during form rendering. |
Yes | Check UI action conditions before execution |
| glide.security.use_csrf_token | Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks. |
Yes | Enable Anti-CSRF token [New in Security Center 1.3, updated in 1.5, and removed in 2.0] |
| glide.ui.escape_html_list_field | Escape HTML for HTML fields in a list view. |
Yes | Escape HTML in list views [Updated in Security Center 1.3 and 1.5] |
| glide.html.escape_script | Escape JavaScript tags in HTML fields. |
Yes | Escape JavaScript [Updated in Security Center 1.3] |
| glide.ui.forgetme | Remove the Remember me check box from the login page. |
Yes | Remove remember me |
| glide.smtp.auth | Authenticate with the SMTP server by the user name and password properties. Remarque : This property is deprecated. |
Yes | |
| glide.soap.strict_security | Enforce strict security on incoming SOAP requests. Requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service. |
Yes | Enforce SOAP request strict security [Updated in Security Center 1.3] |
| glide.basicauth.required.wsdl | Require authorization for incoming WSDL requests. Remarque : If you choose not to require authorization for incoming WSDL requests, you must modify the Access Control (ACL) rules to allow guest users to access the WSDL content. |
Yes | Require authorization for WSDL request [Updated in Security Center 1.3 and 1.5] |
| glide.basicauth.required.csv | Require basic authorization for incoming CSV requests . |
Yes | Require authorization for csv requests [Updated in Security Center 1.3] |
| glide.basicauth.required.excel | Require basic authorization for incoming Excel requests. |
Yes | Require authorization for excel requests [Updated in Security Center 1.3] |
| glide.basicauth.required.importprocessor | Require basic authorization for incoming import requests. |
Yes | Require authorization for import requests [Updated in Security Center 1.3] |
| glide.basicauth.required.pdf | Require basic authorization for incoming PDF requests. |
Yes | Require authorization for pdf requests [Updated in Security Center 1.3] |
| glide.basicauth.required.rss | Require basic authorization for incoming RSS requests. | Yes | Require authorization for RSS requests [Updated in Security Center 1.3] |
| glide.basicauth.required.scriptedprocessor | Require basic authorization for incoming script requests. |
Yes | Require authorization for script requests [Updated in Security Center 1.3] |
| glide.basicauth.required.soap | Require basic authorization for incoming SOAP requests. |
Yes | Require authorization for SOAP requests [Updated in Security Center 1.3, 1.5, and 2.0] |
| glide.basicauth.required.unl | Require basic authorization for incoming unload requests. |
Yes | Require authorization for unload requests [Updated in Security Center 1.3] |
| glide.basicauth.required.xml | Require basic authorization for incoming XML requests. |
Yes | Require authorization for XML requests [Updated in Security Center 1.3] |
| glide.basicauth.required.xsd | Require basic authorization for incoming XSD requests. |
Yes | Require Authorization for XSD Requests [Updated in Security Center 1.3] |
| glide.cms.catalog_uri_relative | Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content. |
Yes | Enforce relative links [Updated in Security Center 1.3 and 1.5] |
| glide.set_x_frame_options | Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header |
Yes | Implement the x-frame-options: SAMEORIGIN security header [Updated in Security Center 1.3] |
| glide.ui.attachment.download_mime_types | A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser. |
text/html,image/svg,image/svg+xml | Restrict downloadable MIME types [Updated in Security Center 1.3 and 2.0] |
| glide.security.groupby_acl_check | When this property is enabled, ACL checks for GroupBy operations are performed for the group names based on the actual data from the groups. |
Yes | None |
| glide.security.diag_txns_acl | If Yes, only the admin user or user from allowed IP address can access stats.do, threads.do, and replication.do. | No | Restrict performance monitoring access [Updated in Security Center 1.3] |
| glide.ui.security.codetag.allow_script | Allow embedded HTML (using [code] tags) to contain JavaScript tags. Remarque : This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support. |
No | Disable embedded HTML code [Updated in Security Center 1.3] |
| glide.script.allow.ajaxevaluate | Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows the client to send and execute arbitrary scripts on the server. |
No | Disable AJAXEvaluate |
The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page.
| Property | Description | Default value | Instance Security Hardening Settings |
|---|---|---|---|
| com.glide.communications.httpclient.verify_hostname | Verify the hostname and certificate chain presented by remote SSL hosts. Protect against Man-In-The-Middle (MITM) attacks. For more detail, see Set up Kubernetes spoke Remarque : This property overrides the com.glide.communications.trustmanager_trust_all property. |
true | None |
| glide.basicauth.required.schema | Require basic authentication for inbound table schema requests. |
true | None |
| glide.security.csrf_previous.allow | Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks. |
false | None |
| glide.security.csrf_previous.time_limit | Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks. |
86400 Remarque : Value in seconds. Equivalent to 1 day. |
None |
| glide.security.csrf.strict.validation.mode | Enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match. |
false | Prevent Users From Accepting Warning To Bypass CSRF Validation [Updated in Security Center 1.3 and 1.5] |
| com.glide.security.check_unsanitized_html | Enforces sanitization behavior of translated_html fields on a global level for field assignments. | enforce | None |