Enforce URL allowlist check

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the glide.security.url.whitelist system property to add extra layer of validation to ensure whether any external URL introduced should be a part of inclusion listed URLs.

    If the glide.security.url.whitelist.strict_check system property isn't set to the recommended value of true then all external URLs are allowed for redirection when glide.security.url.whitelist is empty. If glide.security.url.whitelist is not empty, then only external URLs in the list are allowed. Either setting glide.security.url.whitelist.strict_check to true or ensuring glide.security.url.whitelist is set to a non-empty value with the allowed external URLs leaves the instance in a secure state.

    Ensure that the property glide.security.url.whitelist.strict_check is set to true or the property glide.security.url.whitelist.strict_check is set to a value.

    More information

    Attribute Description
    Configuration name
    • glide.security.url.whitelist.strict_check
    • glide.security.url.whitelist
    Configuration type System Properties (/sys_properties_list.do)
    Data type
    • Boolean
    • String
    Recommended value
    • true
    • Comma-separated of permitted URLs
    Default value <none>
    Fallback value
    • true
    • <empty>
    Category Validation, sanitization, and encoding
    Security risk
    • Severity score: 6.3
    • CVSS rating: Medium
    • Security risk details: If all external URLs are allowed for redirection, this could allow an attacker to redirect a user to a malicious website.
    Functional impact This remediation enforces validation on logout page. It might have a functional impact on a user of an instance with an SSO/SAML configuration.
    Dependencies and prerequisites None