HTTP Response Headers

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of HTTP Response Headers

    HTTP response headers are name-value pairs sent with HTTP responses to provide additional instructions or information about the page content and how clients, typically browsers, should handle it. In the ServiceNow AI Platform, you can configure these headers for all or specific page types, such as Service Portal pages, UI Pages, or UX applications. Proper configuration allows enhanced control over client behavior and security measures.

    Show full answer Show less

    Configuring HTTP Response Headers

    You can define custom HTTP response headers using the sysresponseheader table to apply them globally or to specific pages. It is essential to refer to the official HTTP header definitions to understand how clients will process these headers. For example, setting a Content-Security-Policy: frame-ancestors 'self' https://www.servicenow.com header controls which sources can embed your page in frames.

    To disable all custom HTTP response header configurations, set the system property glide.http.headersconfig.enabled to false. This disables the use of any headers defined in the configuration table.

    Special Considerations for Content-Security-Policy and X-Frame-Options Headers

    • Automatic Inclusion of X-Frame-Options: By default, the platform adds the X-Frame-Options: SAMEORIGIN header to pages to prevent clickjacking.
    • When Using Content-Security-Policy frame-ancestors: If you configure the Content-Security-Policy: frame-ancestors 'self' URL1 URL2 header, the platform disables the automatic X-Frame-Options: SAMEORIGIN header to avoid conflicts, since the frame-ancestors directive provides similar protection.
    • Handling for Internet Explorer: Internet Explorer does not support the frame-ancestors directive. Instead, it recognizes X-Frame-Options: ALLOW-FROM URL, but only for a single URL.
    • Automatic Adjustment for IE: When Internet Explorer accesses a page configured with multiple URLs in the frame-ancestors header, the platform translates this to an X-Frame-Options: ALLOW-FROM URL header for IE. It matches the referrer URL to one of the allowed hosts or defaults to the first non-wildcard URL in the list.
    • URL Formatting: When specifying URLs in headers, do not include a trailing slash, as this may cause improper handling.

    Security Warning

    Using custom name-value pairs in URLs for HTTP response headers carries potential security risks. Custom headers may inadvertently override security measures inherent to the ServiceNow AI Platform's AI contract. Exercise caution when configuring these headers to avoid compromising platform security.

    A response header is a simple name-value pair used in an HTTP response to provide additional information about page content or how the client should process it.

    You can configure HTTP response headers for all, or specific types of pages, which include Service Portal, UI Page, or UX applications. The ability to configure and pass response headers enables special handling of the page content by a client, most typically a browser.

    To learn more about what an HTTP header is, and about configuring the name-value pair for specific HTTP response headers, see:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

    When configuring response headers, you must look at the definition for the HTTP header to determine how the client would handle the page content.
    • For example, you configure an HTTP header for a specific page or all the pages with a Content-Security-Policy: frame-ancestors 'self' https://www.servicenow.com.
    • When you invoke the page in a browser such as Chrome, you can review it in the Response Headers section of Chrome Developer Tools.

      HTTP header with Content-Security-Policy: frame-ancestors 'self'

    To learn more about how browsers handle a page with frame-ancestors, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors.

    Warning:
    When using URLs with custom name-value pairs, proceed with caution because there is a potential security risk when doing so. The signed security amendment to the ServiceNow AI Platform contract has implied security. You may potentially or accidentally override it when you use custom name-value pairs in the resulting URLs.
    • If you want to entirely disable HTTP response header configuration functions, set the glide.http.headers_config.enabled property to false.
    • Once you set it to false, ServiceNow AI Platform does not use any of the header configurations you defined in the sys_response_header table.

    Special handling of the Content-Security-Policy: frame-ancestor header

    Normally, the ServiceNow AI Platform automatically includes the X-Frame-Options: SAMEORIGIN header.
    • It supports use of this header in all types of browsers, based on the setting of the glide.set_x_frame_options global property, which is enabled by default.
    • When you configure a page with a Content-Security-Policy: frame-ancestor 'self' URL1 URL2 header, the ServiceNow AI Platform does not automatically include the X-Frame-Options: SAMEORIGIN header. Excluding it prevents the browser from being confused, because Content-Security-Policy: frame-ancestor 'self' already has a similar effect.

    Special handling of Content-Security-Policy: frame-ancestor header for Internet Explorer

    Using the Content-Security-Policy: frame-ancestor 'self' URL1 URL2 header enables you to configure multiple URL sources to include the page from within an iFrame rendered from a third-party site. However, Internet Explorer does not support this type of header.
    • Instead, the Internet Explorer only supports the X-Frame-Options: ALLOW-FROM URL (ALLOW-FROM) directive in this header, although the restriction is for a single host URL.
    • If you configure the frame-ancestor 'self' URL1 URL2 header, and Internet Explorer is in use, the ServiceNow AI Platform automatically uses the X-Frame-Options: ALLOW-FROM URL (ALLOW-FROM) header instead.
    If the Internet Explorer request includes the referrer URL header:
    • It attempts to match it with the host URLs (full or wildcard http://*.example.com type URL format only) configured in the Content-Security-Policy: frame-ancestor 'self' URL1 URL2 header.
    • If there is a match, include the matched URL as X-Frame-Options: ALLOW-FROM URL1.
    • If there is no referrer header, it uses the first non-wildcard based host URLs configured in the Content-Security-Policy: frame-ancestor 'self' URL1 URL2 header.
    Note:
    When configuring URLs, do not include a forward slash at the end of the URL.
    • This example of an incorrect configuration that may not work properly with this special handling:
      • Name: Content-Security-Policy
      • Value: frame-ancestors 'self' https://microsoft.com/
    • Use this correct syntax instead:
      • Name: Content-Security-Policy
      • Value: frame-ancestors 'self' https://microsoft.com