Enable HTTP Only Cookie Flag [Updated in Security Center 1.3]

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Use the glide.cookies.http_only property to enable the HTTPOnly attribute for sensitive cookies.

    Use the HTTPOnly attribute to prevent attacks, such as cross-site scripting, because it doesn't allow access to the cookie using a client-side script, such as JavaScript. It does not eliminate cross site scripting risks but does eliminate some exploitation vectors.

    Avertissement :
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.cookies.http_only
    Configuration type System Properties (/sys_properties_list.do)
    Category Session management
    Purpose To mitigate the risk of client-side script accessing the protected cookie.
    Recommended value true
    Default value true
    Security risk rating 8
    Functional impact This remediation adds an extra HTTPOnly flag in on session cookies, thus protecting them from being stolen.
    • If you have custom functionality that requires JavaScript to access the user's cookie, it breaks that functionality. It should not be the case under normal circumstances.
    • The ServiceNow AI Platform handles session management and there shouldn't be a reason for a custom script to access the user's cookies.
    Security risk (Moderate) Session cookies in the application authenticate an end user and provide implicit access permissions on the application. That means there is a need to secure them from being stolen or exported. HTTP Only flags protect the session cookies from JavaScript injections or cross site scripting vulnerabilities stealing them.
    References Available system properties

    To learn more about adding or creating a system property, see Add a system property.