Enforce secure referrer policy

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Enforce secure referrer policy

    Thecom.glide.security.referrerpolicysystem property in ServiceNow controls the Referrer-Policy HTTP header, which determines how much referrer information is sent with web requests. Proper configuration of this property helps prevent sensitive data leakage by restricting the referrer data shared with external sites.

    Show full answer Show less

    Key Features

    • Configuration Control: Set the referrer policy to manage what parts of the URL (origin, path, query strings) are sent in the referrer header.
    • Supported Values:
      • default: Equivalent to same-origin, sending full referrer data for same-origin requests only.
      • same-origin: Sends referrer data only for same-origin requests; no referrer data for cross-origin.
      • origin-when-cross-origin: Sends full referrer data for same-origin requests; only origin for cross-origin or less secure requests.
      • strict-origin-when-cross-origin: Sends full referrer data for same-origin requests; origin only for cross-origin requests with the same security level; no referrer sent to less secure destinations.
    • Security Risk Mitigation: Avoid values like no-referrer-when-downgrade or unsafe-url, which expose full URLs to external sites and may leak sensitive information.
    • Functional Considerations: Certain external sites (e.g., YouTube) require at least origin data in the referrer header for embedded content to work correctly.

    Key Outcomes

    • Reduces risk of data leakage and privacy violations by limiting sensitive information in referrer headers.
    • Supports security incident investigations by balancing data disclosure with privacy concerns.
    • Ensures compatibility with third-party integrations that rely on referrer headers by choosing an appropriate policy.
    • Enables administrators to tailor the referrer policy based on organizational security needs and use cases.

    Use the com.glide.security.referrerpolicy property to ensure that the Referrer-Policy HTTP header sends the appropriate level of data to each ServiceNow® page to help prevent data leaks.

    Use the com.glide.security.referrerpolicy system property to control what information is included in the referrer HTTP header across the Now Platform. The data included in the referrer header, according to the policy of this property, is the origin, path, and query strings of the full referrer URL. These values are the standardized Referrer-Policy values supported by the HTTP protocol with the addition of the value "default." Depending on the policy set by this property, the referrer header may include sensitive information about or from the entity making the request.

    Ensure that the com.glide.security.referrerpolicy system property is set to one of the following: default, same-origin, origin-when-cross-origin, or strict-origin-when-cross-origin.

    More information

    Attribute Description
    Configuration name com.glide.security.referrerpolicy
    Configuration type System Properties (/sys_properties_list.do)
    Data type String
    Recommended value default
    Default value default
    Fallback value default
    Category Configuration
    Security risk
    • Severity score: 4.3
    • CVSS score: Medium

    • Security risk details: When the com.glide.security.referrerpolicy system property is set to no-referrer-when-downgrade or unsafe-url, the referrer header of a request to a site different to the origin includes the full URL for the referring page making the request. The full referrer URL shared with external sites may include sensitive information from or about your instance. This can lead to data leakage and privacy violations.

      When the property is set to no-referrer, origin, or strict-origin, the referrer header is either not included, or includes only the origin portion of the referrer URL when requests are sent to the origin. This change may impede efforts to trace attack paths in the logs when a security incident occurs, as the exact origin of a request can’t be determined easily. Proper configuration of this property is essential to help prevent unauthorized disclosure of internal identifiers or confidential parameters while allowing for security incident investigations.
    Functional impact

    When the com.glide.security.referrerpolicy system property is set to no-referrer, origin, or strict-origin, the referrer header is either not be included, or includes only the origin portion of the referrer URL when requests are sent to the origin. This change can break functionality that requires this data.

    Some sites like YouTube require embedded link requests to include at least the origin in the referrer header (for example, the "origin-when-cross-origin" policy). The appropriate value of this property is dependent on the instance owner and use case. Those we recommend are described here. These policies are secure and don’t break base system functionality. More information of these and the other standardized policies can be found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy.

    • default: Functionally equal to setting the value to same-origin
    • same-origin: Sends the origin, path, and query string for same-origin requests. Doesn't send the referrer header for cross-origin requests.
    • origin-when-cross-origin: When performing a same-origin request, sends the origin, path, and query string. Sends only the origin for cross-origin requests and requests to less secure destinations (from HTTPS to HTTP).
    • strict-origin-when-cross-origin: Sends the origin, path, and query string when performing a same-origin request. For cross-origin requests, sends the origin only when the protocol security level stays same (from HTTPS to HTTPS). Doesn't send the referrer header to less secure destinations (from HTTPS to HTTP).
    Dependencies and prerequisites None
    References Referrer-Policy