Security settings properties
Security settings provide several properties to control the level of security on your instance.
- Navigate to .
Options on the Security page are Yes or No.
- Navigate to the sys_properties.list and search for the property
you want to set or change.
Options in the System Properties table [sys_properties.list] are true or false.
- Navigate to , then click Hardening.
You can configure the settings for the most important and critical security properties. The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the ServiceNow AI Platform. To learn more about each of these properties, see Hardening settings.
Escaping and embedded script support
| glide.ui.security.allow_codetag | Supports embedding HTML code using the [code] tag. Default value: Yes Nota: Instance Security Hardening Settings: Disable embedded HTML code [Updated in Security Center 1.3] |
| glide.ui.security.codetag.allow_script | Allows embedded HTML (using [code] tags) to contain Javascript tags. Nota: This property is set to true by default in Vancouver and later releases, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support. For more information see Disable JavaScript tags in embedded HTML [Updated in Security Center 1.3]. |
| glide.ui.escape_all_script | Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the
<script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript,
application/ecmascript, or application/x-javascript.
Nota: Instance Security Hardening Settings: Escape jelly script [Updated in Security Center 1.3 and 1.5] |
Attachment limits and behavior
| com.glide.attachment.max_size | Sets the maximum file attachment size in megabytes. |
| glide.attachment.role | Lists the roles (comma-separated) that can create attachments. |
| glide.attachment.extensions | Lists the file extensions (comma-separated) that can be attached to documents via the attachment dialog. Extensions should not include the dot (.). For example, xls, xlsx, doc, docx. Leave blank to allow all
extensions. Nota: Instance Security Hardening Settings: File and resources |
| glide.ui.attachment.force_download_all_mime_types | Forces download of all multipurpose internet mail extensions (MIME) type attachment files. Default value:
Nota: Instance Security Hardening Settings: Set Allowed MIME Child Types [New in Security Center 2.0] |
| glide.security.file.mime_type.validation | Enables (Yes) or disables (No) MIME type validation for file attachments. File extensions configured via glide.attachment.extensions are checked for MIME type during upload. Default value:
Nota: Instance Security Hardening Settings: Restrict uploaded MIME types [Updated in Security Center 1.3 and 2.0] |
Customer uploads
These properties affect customer uploads only. They do not affect attachments.
| glide.ui.strict_customer_uploaded_static_content | When you set this property to Yes, turns on the ability to restrict the types of files that can be downloaded, when they have been uploaded using the Upload File functionality of the ServiceNow AI Platform. Used with glide.ui.strict_customer_uploaded_content_types Nota: Instance Security Hardening Settings: Restrict downloadable files types in static content [Updated in Security Center 1.3] |
| glide.ui.strict_customer_uploaded_content_types | When this parameter includes a list of comma-delimited file types, of the files that were uploaded using the Upload File functionality of the ServiceNow AI Platform, only these file types can be downloaded from the instance. Nota: Instance Security Hardening Settings: Restrict downloadable files types in static content [Updated in Security Center 1.3] |
Security Manager and options
| glide.security.manager | Security Manager. |
| glide.sm.default_mode | Security manager default behavior in the absence of any ACLs on a table. |
| glide.security.strict.updates | Double-checks security on inbound transactions during form submission. Rights are always checked on form generation. Nota: This property is set to true by default, and can't be changed by administrators. For a use case where the property has to be changed, contact customer support. For more information see Double check inbound transactions [Updated in Security Center 1.3]. |
| glide.security.strict.actions | Checks conditions on UI actions before execution. Normally, conditions are checked only during form rendering. Nota: Instance Security Hardening Settings: Check UI action conditions before execution |
| glide.security.granular.create | Enforces the create rules on new records (as opposed to the write rules, which may include creating and updating). |
| glide.security.explain.write.locks | Displays an explanation on locked form elements. |
Cookies
| glide.ui.forgetme | Removes the Remember me check box from the login page when the instance is using either LDAP or DB logins. User's active logged in sessions are timed out after X minutes of inactivity, where X is the value of the glide.ui.session_timeout system property. Default value: Yes (New and Z-Booted instances Nota: Instance Security Hardening Settings: Remove remember me |
| glide.ui.secure_cookies | Enables secure session cookies to enforce additional cookie security. If Yes, strict session cookie validation is enforced. With version 3 cookies enabled, additional security requirements are also enforced. Nota: Instance Security Hardening Settings: Enforce strict security of session cookies [Updated in Security Center 1.3] |
| glide.secure_cookie.debug | Secure session cookie debugging. Select to enable extensive debug logging of secure session cookie operations. |
Security restrictions for execution of scripts originating from the client
| glide.script.use.sandbox | Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If enabled, only those business rules and script includes with the Client callable check box selected are available, and certain back-end application programming interface (API) calls are disallowed. Nota: Instance Security Hardening Settings: Enable script sandbox [Updated in Security Center 1.3] |
| glide.script.allow.ajaxevaluate | Enables the AJAXEvaluate processor. Nota: Instance Security Hardening Settings: Disable AJAXEvaluate |
| glide.script.secure.ajaxgliderecord | Applies standard security access control lists (ACLs) to AJAXGlideRecord calls. Default Value: Yes, for new and upgraded instances. (If Yes, cannot be changed to No.) Nota: Instance Security Hardening Settings: Require AJAXGlideRecord ACL checking [Updated in Security Center 1.3] |
Miscellaneous
| com.glide.communications.trustmanager_trust_all | By default, the instance trusts a certificate's Certificate Authority (CA). Ensures that the instance accepts self-issued certificates. To validate a certificate's CA, set this property to No Instance Security Hardening Settings: Enforce certificate trust [Updated in Security Center 1.3, removed in 2.0, added in 7.0] |
| glide.outbound.sslv3.disabled | When active, forces outbound connections from an instance to use the transport layer security (TLS) instead of the secure sockets layer (SSL). Instance Security Hardening Settings: Disable outbound SSLv2/SSLv3 connections [Updated in Security Center 1.3] Importante: The value for this property is a safe override and cannot be altered once changed. |
Additional properties are available for High Security Settings.