High Security Settings High Security Settings refer to several security options available in your instance. There are two ways to set or change High Security Settings properties. Navigate to System Security > High Security Settings.Options on the High Security Properties page are Yes or No. Navigate to the sys_properties.list and search for the property you want to set or change.Options in the System Properties table [sys_properties.list] are true or false. This module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, you can request activation. Properties for these types of high security settings are available: Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing. Default deny property: Provides a security manager property to control the default security behavior for table access. Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned. Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed. Property access controls: Allows security administrators to set the roles required to read and write properties. Transaction and system logs: Are read only. Access control rules: Control what data users can access and how they can access it. Note: High Security Settings also automatically activate the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance. Property access control Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active: read_roles: A comma-separated list of role names that are allowed to read all fields of this property. write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property. Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them. Notifications Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval. Figure 1. Security Warning notification High Security Settings properties Table 1. High Security Settings properties Name Description glide.ui.escape_text Escape XML values at the parser level for the user interface. Prevents reflected and stored cross site scripting attacks. Default: Yes glide.ui.escape_all_script Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.Default: Yes in new Istanbul instances glide.ui.rotate_sessions Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers. Default: YesIf you are using the SAML 2.0 plugin for Single Sign-on authentication, set this feature to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider. glide.ui.secure_cookies Enable secure session cookies: Enable additional cookie security. If selected, strict session cookie validation is enforced. Default: Yes glide.security.password_reset.uri For mobile Password Reset, URL that the user is taken to when user taps the Forgot password? button. glide.security.strict.updates Double-check security on inbound transactions during form submission (rights are always checked on form generation). Default: Yes glide.security.strict.actions Check conditions on UI actions before execution. Normally the conditions are only checked during form rendering. Default: Yes glide.security.use_csrf_token Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.Default: Yes glide.ui.escape_html_list_field Escape HTML for HTML fields in a list view. Default: Yes glide.html.escape_script Escape JavaScript tags in HTML fields. Default: Yes glide.ui.forgetme Remove Remember me check box from login page. Default: Yes glide.smtp.auth Authenticate with the SMTP server by the user name and password properties. Default: Yes glide.script.use.sandbox Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If enabled, only those business rules and script includes with the Client callable check box set to true are available, and certain back-end API calls are disallowed. For more information, see Script sandboxing.Default: Yes glide.soap.strict_security Enforce strict security on incoming SOAP requests. If set to Yes, requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.Default: Yes glide.basicauth.required.wsdl Require authorization for incoming WSDL requests. Default: Yes Note: If you choose not to require authorization for incoming WSDL requests, you must modify the access control (ACL) rules to allow guest users to access the WSDL content. glide.basicauth.required.csv Require basic authorization for incoming CSV requests. Default: Yes glide.basicauth.required.excel Require basic authorization for incoming Excel requests. Default: Yes glide.basicauth.required.importprocessor Require basic authorization for incoming import requests. Default: Yes glide.basicauth.required.pdf Require basic authorization for incoming PDF requests. Default: Yes glide.basicauth.required.rss Require basic authorization for incoming RSS requests. Default: Yes glide.basicauth.required.scriptedprocessor Require basic authorization for incoming script requests. Default: Yes glide.basicauth.required.soap Require basic authorization for incoming SOAP requests. Default: Yes glide.basicauth.required.unl Require basic authorization for incoming unload requests. Default: Yes glide.basicauth.required.xml Require basic authorization for incoming XML requests. Default: Yes glide.basicauth.required.xsd Require basic authorization for incoming XSD requests. Default: Yes glide.cms.catalog_uri_relative Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content.Default: Yes glide.set_x_frame_options Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_headerDefault: Yes glide.ui.attachment.download_mime_types A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.Default: text/html,image/svg,image/svg+xml glide.security.groupby_acl_check When this property is enabled, ACL checks are performed for GroupBy operations for the group names based on the actual data from the groups.Default: Yes glide.security.diag_txns_acl When set to Yes, only admin user or a user from the allowed IP address can access stats.do, l, and replication.do.Default: No glide.ui.security.allow_codetag Allow support for embedding HTML code using the [code] tag. Default: Yes glide.ui.security.codetag.allow_script Allow embedded HTML (using [code] tags) to contain JavaScript tags. Default: No glide.script.allow.ajaxevaluate Enable the AJAXEvaluate processor. The AJAXEvaluate API call lets the client send and execute arbitrary scripts on the server.Default: No glide.login.autocomplete Allow browsers to use auto-complete on password fields on login forms. Default: No The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page. glide.security.csrf_previous.allow Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks. Default: false glide.security.csrf_previous.time_limit Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks.Default: 86400 seconds or 1 day glide.security.csrf.strict.validation.mode Enforce strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.Default: false glide.basicauth.required.schema Require basic authentication for inbound table schema requests. Default: true Script sandboxingThere are two cases within the system that allow the client to send scripts to the server for evaluation.Request High Security SettingsThe High Security Settings plugin is active by default on all new instances.
High Security Settings High Security Settings refer to several security options available in your instance. There are two ways to set or change High Security Settings properties. Navigate to System Security > High Security Settings.Options on the High Security Properties page are Yes or No. Navigate to the sys_properties.list and search for the property you want to set or change.Options in the System Properties table [sys_properties.list] are true or false. This module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, you can request activation. Properties for these types of high security settings are available: Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing. Default deny property: Provides a security manager property to control the default security behavior for table access. Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned. Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed. Property access controls: Allows security administrators to set the roles required to read and write properties. Transaction and system logs: Are read only. Access control rules: Control what data users can access and how they can access it. Note: High Security Settings also automatically activate the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance. Property access control Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active: read_roles: A comma-separated list of role names that are allowed to read all fields of this property. write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property. Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them. Notifications Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval. Figure 1. Security Warning notification High Security Settings properties Table 1. High Security Settings properties Name Description glide.ui.escape_text Escape XML values at the parser level for the user interface. Prevents reflected and stored cross site scripting attacks. Default: Yes glide.ui.escape_all_script Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.Default: Yes in new Istanbul instances glide.ui.rotate_sessions Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers. Default: YesIf you are using the SAML 2.0 plugin for Single Sign-on authentication, set this feature to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider. glide.ui.secure_cookies Enable secure session cookies: Enable additional cookie security. If selected, strict session cookie validation is enforced. Default: Yes glide.security.password_reset.uri For mobile Password Reset, URL that the user is taken to when user taps the Forgot password? button. glide.security.strict.updates Double-check security on inbound transactions during form submission (rights are always checked on form generation). Default: Yes glide.security.strict.actions Check conditions on UI actions before execution. Normally the conditions are only checked during form rendering. Default: Yes glide.security.use_csrf_token Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.Default: Yes glide.ui.escape_html_list_field Escape HTML for HTML fields in a list view. Default: Yes glide.html.escape_script Escape JavaScript tags in HTML fields. Default: Yes glide.ui.forgetme Remove Remember me check box from login page. Default: Yes glide.smtp.auth Authenticate with the SMTP server by the user name and password properties. Default: Yes glide.script.use.sandbox Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If enabled, only those business rules and script includes with the Client callable check box set to true are available, and certain back-end API calls are disallowed. For more information, see Script sandboxing.Default: Yes glide.soap.strict_security Enforce strict security on incoming SOAP requests. If set to Yes, requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.Default: Yes glide.basicauth.required.wsdl Require authorization for incoming WSDL requests. Default: Yes Note: If you choose not to require authorization for incoming WSDL requests, you must modify the access control (ACL) rules to allow guest users to access the WSDL content. glide.basicauth.required.csv Require basic authorization for incoming CSV requests. Default: Yes glide.basicauth.required.excel Require basic authorization for incoming Excel requests. Default: Yes glide.basicauth.required.importprocessor Require basic authorization for incoming import requests. Default: Yes glide.basicauth.required.pdf Require basic authorization for incoming PDF requests. Default: Yes glide.basicauth.required.rss Require basic authorization for incoming RSS requests. Default: Yes glide.basicauth.required.scriptedprocessor Require basic authorization for incoming script requests. Default: Yes glide.basicauth.required.soap Require basic authorization for incoming SOAP requests. Default: Yes glide.basicauth.required.unl Require basic authorization for incoming unload requests. Default: Yes glide.basicauth.required.xml Require basic authorization for incoming XML requests. Default: Yes glide.basicauth.required.xsd Require basic authorization for incoming XSD requests. Default: Yes glide.cms.catalog_uri_relative Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content.Default: Yes glide.set_x_frame_options Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_headerDefault: Yes glide.ui.attachment.download_mime_types A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.Default: text/html,image/svg,image/svg+xml glide.security.groupby_acl_check When this property is enabled, ACL checks are performed for GroupBy operations for the group names based on the actual data from the groups.Default: Yes glide.security.diag_txns_acl When set to Yes, only admin user or a user from the allowed IP address can access stats.do, l, and replication.do.Default: No glide.ui.security.allow_codetag Allow support for embedding HTML code using the [code] tag. Default: Yes glide.ui.security.codetag.allow_script Allow embedded HTML (using [code] tags) to contain JavaScript tags. Default: No glide.script.allow.ajaxevaluate Enable the AJAXEvaluate processor. The AJAXEvaluate API call lets the client send and execute arbitrary scripts on the server.Default: No glide.login.autocomplete Allow browsers to use auto-complete on password fields on login forms. Default: No The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page. glide.security.csrf_previous.allow Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks. Default: false glide.security.csrf_previous.time_limit Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks.Default: 86400 seconds or 1 day glide.security.csrf.strict.validation.mode Enforce strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.Default: false glide.basicauth.required.schema Require basic authentication for inbound table schema requests. Default: true Script sandboxingThere are two cases within the system that allow the client to send scripts to the server for evaluation.Request High Security SettingsThe High Security Settings plugin is active by default on all new instances.
