Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

General security settings properties

Log in to subscribe to topics and get notified when content changes.

General security settings properties

Security settings provide several properties to control the level of security on your instance.

There are two ways to set or change general security settings properties.
  • Navigate to System Properties > Security.

    Options on the Security page are Yes or No.

  • Navigate to the sys_properties.list and search for the property you want to set or change.

    Options in the System Properties table [sys_properties.list] are true or false.

Warning: When implementing any of these security features, you must thoroughly test the features before you deploy them in a production instance.

Escaping and embedded script support

glide.ui.security.allow_codetag
Supports embedding HTML code using the [code] tag.
  • Default value: Yes
glide.ui.security.codetag.allow_script
Allows embedded HTML (using [code] tags) to contain Javascript tags.
glide.ui.escape_all_script
Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.
  • Default value:
    • New/zbooted instances: Yes
    • Upgraded instances: No

Attachment limits and behavior

com.glide.attachment.max_size
Sets the maximum file attachment size in megabytes.
glide.attachment.role
Lists the roles (comma-separated) that can create attachments.
glide.attachment.extensions
Lists the file extensions (comma-separated) that can be attached to documents via the attachment dialog. Extensions should not include the dot (.). For example, xls, xlsx, doc, docx. Leave blank to allow all extensions.
glide.ui.attachment.force_download_all_mime_types
Forces download of all multipurpose internet mail extensions (MIME) type attachment files.
  • Default value:
    • New/zbooted instances: Yes
    • Upgraded instances: No
glide.security.file.mime_type.validation
Enables (Yes) or disables (No) MIME type validation for file attachments. File extensions configured via glide.attachment.extensions are checked for MIME type during upload.
  • Default value:
    • New/zbooted instances: Yes
    • Upgraded instances: No

Customer uploads

These properties affect customer uploads only. They do not affect attachments.

glide.ui.strict_customer_uploaded_static_content
When set to Yes, turns on the ability to restrict the types of files that can be downloaded, when they have been uploaded using the Upload File functionality of the Now Platform. Used with glide.ui.strict_customer_uploaded_content_types.
glide.ui.strict_customer_uploaded_content_types
When this parameter includes a list of comma-delimited file types, of the files that were uploaded using the Upload File functionality of the Now Platform, only these file types can be downloaded from the instance.

Security Manager and options

glide.security.manager
Security Manager.
glide.sm.default_mode
Security manager default behavior in the absence of any ACLs on a table.
glide.security.strict.updates
Double-checks security on inbound transactions during form submission. Rights are always checked on form generation.
glide.security.strict.actions
Checks conditions on UI actions before execution. Normally, conditions are checked only during form rendering.
glide.security.granular.create
Enforces create (as opposed to write) rules on new records.
glide.security.explain.write.locks
Displays an explanation on locked form elements.

Cookies

glide.ui.forgetme
Removes the Remember me check box from the login page when the instance is using either LDAP or DB logins. User's active logged in sessions are timed out after X minutes of inactivity, where X is the value of the glide.ui.session_timeout system property.
  • Default value:
    • New/zbooted instances: Yes
glide.ui.secure_cookies
Enables secure session cookies to enforce additional cookie security. If Yes, strict session cookie validation is enforced. With version 3 cookies enabled, additional security requirements are also enforced.
glide.secure_cookie.debug
Secure session cookie debugging. Select to enable extensive debug logging of secure session cookie operations.

Security restrictions for execution of scripts originating from the client

glide.script.use.sandbox
Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If enabled, only those business rules and script includes with the Client callable check box selected are available, and certain back-end application programming interface (API) calls are disallowed.
glide.script.allow.ajaxevaluate
Enables the AJAXEvaluate processor.
glide.script.secure.ajaxgliderecord
Applies standard security access control lists (ACLs) to AJAXGlideRecord calls.
  • Default value: Yes for new and upgraded instances. If Yes, cannot be changed to No.

Miscellaneous

com.glide.communications.trustmanager_trust_all
By default, the instance trusts a certificate's Certificate Authority (CA). Ensures that the instance accepts self-issued certificates. To validate a certificate's CA, set the system property to No.
glide.outbound.sslv3.disabled
When active, forces outbound connections from an instance to use the transport layer security (TLS) instead of the secure sockets layer (SSL).

Additional properties are available for High Security Settings.

Feedback