Implement the x-frame-options: SAMEORIGIN security header

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.

    The glide.set_x_frame_options system property controls the implementation of the security header X-Frame-Options: SAMEORIGIN. If glide.set_x_frame_options is not set to the recommended value of true, then an instance will be allowed to be framed in an iframe of another page.

    Ensure the property glide.set_x_frame_options is set to true.

    More information

    Attribute Description
    Configuration name glide.set_x_frame_options
    Configuration type System Properties (/sys_properties_list.do)
    Data type Boolean
    Recommended value true
    Default value <none>
    Fallback value false
    Category Configuration
    Security risk
    • Severity score: 5.9
    • CVSS rating: Medium
    • Security risk details: This can lead to a clickjacking attack.
    Functional impact This remediation enforces the restriction for rendering a ServiceNow AI Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app.
    Dependencies and prerequisites None