Privacy on client-callable script includes (instance security hardening)
By default, client-callable script includes that do not explicitly set visibility, are public. If needed, add the glide.script.ccsi.ispublic property to enable privacy control over all client-callable script includes accessed by public pages.
isPublic() function. - The
isPublic()setting takes precedence over the glide.script.ccsi.ispublic property. - For example, if you set
isPublic()to true in an individual script, it makes it public, which overrides the glide.script.ccsi.ispublic property that makes all other client-callable script includes private.
More information
| Attribute | Description |
|---|---|
| Property name | glide.script.ccsi.ispublic |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | Making client-callable script includes private means that guests who access public pages can't access the client-callable script include. A non-logged-in user can't execute a private script. |
| Recommended value | false |
| Functional Impact | If the client-callable script includes are designated as public (that is, this property is missing), then unauthenticated users can execute client scripts. Add the property restricts the execution of scripts by a non-logged-in user. |
| Security risk | (High) If you do not add this property, client-side script includes circumvent ACLs, which may result in unintended public functionality. If the client script provides confidential information, it could have an adverse potential security risk. |
| Workaround | Setting the glide.script.ccsi.ispublic property to false makes all client-callable script includes private. You can change the privacy setting for an individual client-callable script
include by adding the
|
To learn more about adding or creating a system property, see Add a system property.