Virtual agent embedded client X-Frame-Options (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the com.glide.cs.embed.xframe_options property to enable the configuration of the X-Frame header for only the https://<your-instance>.service-now.com/sn_va_web_client_app_embed.do page.

    The Virtual Agent Plugin enables embedding of a client in an external web page. To enable the client page to be embedded in the web page, the X-Frame-Options header must enable the iframe to be included in the parent frame.
    Note:
    Avoid using allow-from * as the X-Frame-Options header value because it would enable all domains and leave the application potentially vulnerable to clickjacking.

    More information

    Attribute Description
    Property name com.glide.cs.embed.xframe_options
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center No
    Purpose To enable specification of the directive for the X-Frame-Options header for the embeddable Virtual Agent page.
    Recommended value SAMEORIGIN
    Functional ImpactVirtual Agent embeddable client doesn't enable itself to be embedded in external sites unless X-Frame-Options header is configured properly.
    Security risk (Medium) If configured improperly (allowing all parent frames), it may possibly leave the embeddable client page vulnerable to clickjacking.
    References

    Embed the Virtual Agent web client in an external web page

    To learn more about adding or creating a system property, see Add a system property.