X-Frame-Options: SAMEORIGIN (instance security hardening)
Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.
Use the X-Frame-Options HTTP response header to indicate whether browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this function to avoid
clickjacking attacks by ensuring that their content is not embedded into other sites. An attacker could embed your page into their own page and make your page elements perform maliciously. The end user may think the page is
legitimate because it resembles your page. The end user may click on elements like usual only to have malicious scripts or elements run.
More information
| Attribute | Description |
|---|---|
| Property name | glide.set_x_frame_options |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Purpose | To mitigate against ClickJacking attacks. |
| Recommended value | true |
| Functional Impact | This remediation enforces the restriction for rendering a ServiceNow AI Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app. |
| Security risk | (Medium) The Same Origin policy enables you to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality. The policy validates the connection
based on protocol, port, and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that enables access to resources/scripts from another domain when explicitly stated as a part of header value.
|
| References |
To learn more about adding or creating a system property, see Add a system property.