High Security Settings properties

High Security Settings provides several properties to control the level of security on your instance.

Table 1. High Security Settings properties
Name Description
glide.ui.escape_text Escape XML values at the parser level for the user interface. This will prevent reflected and stored cross site scripting attacks.

Default: Yes

glide.ui.escape_all_script Forces all expressions within Jelly <script> tags to be escaped by default.

Default: No

glide.ui.rotate_sessions Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers.

Default: Yes

If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this feature to false. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider.

glide.ui.secure_cookies Enable secure session cookies: Enable additional cookie security. If selected, strict session cookie validation is enforced.

Default: Yes

glide.security.strict.updates Double check security on inbound transactions during form submission (rights are always checked on form generation).

Default: Yes

glide.security.strict.actions Check conditions on UI actions before execution; normally the conditions are only checked during form rendering.

Default: Yes

glide.security.use_csrf_token Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross site request forgery attacks.

Default: Yes

glide.ui.escape_html_list_field Escape HTML for HTML fields in a list view.

Default: Yes

glide.html.escape_script Escape JavaScript tags in HTML fields.

Default: Yes

glide.ui.forgetme Remove Remember me check box from login page.

Default: Yes

glide.smtp.auth Authenticate with the SMTP server by the user name and password properties.

Default: Yes

glide.script.use.sandbox Run client generated scripts (AJAXEvaluate and query conditions) inside of a reduced rights "sandbox". If enabled, only those business rules and script includes with the Client callable checkbox set to true are available and certain back-end API calls are disallowed.

Default: Yes

glide.soap.strict_security Enforce strict security on incoming SOAP requests. Checking this requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.

Default: Yes

glide.basicauth.required.wsdl Require authorization for incoming WSDL requests.

Default: Yes

Note: If you choose not to require authorization for incoming WSDL requests, you will need to modify the Access Control (ACL) rules to allow guest users to access the WSDL content.
glide.basicauth.required.csv Require basic authorization for incoming CSV requests.

Default: Yes

glide.basicauth.required.excel Require basic authorization for incoming Excel requests.

Default: Yes

glide.basicauth.required.importprocessor Require basic authorization for incoming import requests.

Default: Yes

glide.basicauth.required.pdf Require basic authorization for incoming PDF requests.

Default: Yes

glide.basicauth.required.rss Require basic authorization for incoming RSS requests.

Default: Yes

glide.basicauth.required.scriptedprocessor Require basic authorization for incoming script requests.

Default: Yes

glide.basicauth.required.soap Require basic authorization for incoming SOAP requests.

Default: Yes

glide.basicauth.required.unl Require basic authorization for incoming unload requests.

Default: Yes

glide.basicauth.required.xml Require basic authorization for incoming XML requests.

Default: Yes

glide.basicauth.required.xsd Require basic authorization for incoming XSD requests.

Default: Yes

glide.cms.catalog_uri_relative Enforce relative links from the URI parameter on /ess/catalog.do. If checked, then only relative URLs are permitted through the /ess/catalog.do page using the parameter 'uri'. If unchecked, all URLs are permitted, which may permit linking to external unauthorized content.

Default: Yes

glide.set_x_frame_options Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header

Default: Yes

glide.ui.attachment.download_mime_types A list of comma separated attachment mime types that do not render inline in the browser. This will prevent cross site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.

Default:

glide.security.groupby_acl_check When this property is enabled, for GroupBy operations ACL checks are performed for the "group" names based on the actual data from the groups.

Default: Yes

glide.security.diag_txns_acl If it is set to true, only admin user or user from allowed ip address can access stats.do, threads.do and replication.do.

Default: Yes

glide.ui.security.allow_codetag Allow support for embedding HTML code by using the [code] tag.

Default: Yes

glide.ui.security.codetag.allow_script Allow embedded HTML (using [code] tags) to contain JavaScript tags.

Default: No

glide.script.allow.ajaxevaluate Enable the AJAXEvaluate processor.

Default: No

glide.login.autocomplete Allow browsers to use auto-complete on password fields on login forms.

Default: No

These are defined in the sys_properties table, but are not visible on the High Security Settings page.
glide.security.csrf_previous.allow Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross site request forgery attacks.

Default: No

glide.security.csrf_previous.time_limit Time in seconds for a secure token to expire. It allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the "allowing reuse of expired tokens are allowed" property is enabled and it's within the time frame described by this property. This token is used to prevent cross-site request forgery attacks.

Default: 86400 seconds or 1 day

glide.security.csrf.strict.validation.mode This property enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.

Default: false

glide.basicauth.required.schema

Require basic authentication for inbound table schema requests.

Default: true