High Security Settings refer to several security options
available in your instance.
The High Security Settings module is activated with the High Security Settings plugin, which is
active by default on new instances. If High Security Settings are not active on your instance,
see Requesting High Security Settings activation . To learn more about this plugin, see
High security plugin (instance security hardening) in the Instance Security Hardening
Guide. Properties for these types of high security settings are available:
Default property values: To harden security on your platform by centralizing all critical
security settings to one location for management and auditing.
Default deny property: Provides a security manager property to control the default security
behavior for table access.
Security Administrator role: Provides a role to prevent modification of key security settings
and resources. The Security Administrator role is not inherited by the admin role and must be
explicitly assigned.
Elevated privileges: Allows users with the security admin role to operate in the context of a
normal user and elevate to higher security role when needed.
Property access controls: Allows security administrators to set the roles required to read
and write properties.
Transaction and system logs: Are read only.
Access control rules: Control what data users can access and how they can access it.
Note: High Security Settings also automatically activates the Contextual Security plugin, if it
is not already active. In addition, Platform Security Settings - High delivers settings and
features in the context of increasing the security of your instance.
Note:
Note: The Instance Security Hardening Settings
content contains detailed descriptions, and compliance values, for the
security-related system properties and plugins in the Now Platform . To learn more about each of these properties, see
Instance Security Hardening Settings .
To learn more about each of these properties, see
Instance Security Hardening Settings .
There are two ways to set or change High Security Settings properties.
Property access control
Two additional columns are created in the Properties [sys_properties] table when High Security
Settings are active:
read_roles : A comma-separated list of role names that are allowed to
read all fields of this property.write_roles : A comma-separated list of role names that are allowed to
write/modify all fields of this property.
Properties listed in the Properties table have read_roles of admin, and
write_roles of security_admin. Users with the admin role can view
and read the property values, but must elevate to the security_admin role to modify
them.
Notifications
Activation of high security settings also activates security warning messages. The following
is an example of a message that appears after an approval.
Figure 1. Security Warning notification
High Security Settings properties
glide.ui.escape_text
Escape XML values at the parser level for the user interface. Prevents reflected and
stored cross-site scripting attacks. This property is not applicable in Service
Portal.
glide.ui.escape_all_script
Forces all expressions within Jelly JavaScript <script
type="text/javascript"> tags to be escaped by default. Enforces escaping only
if the type attribute in the <script> tag is empty, or if the value
is text/javascript, text/ecmascript,
application/javascript, application/ecmascript, or
application/x-javascript.
glide.ui.rotate_sessions
Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers .
Default value: YesIf you are using the SAML 2.0 plugin for Single Sign-on
authentication, set this property to No. Otherwise, it interferes with the session
information sharing that takes place between the instance and the Identity
Provider.
Instance Security Hardening Settings: Rotate HTTP session identifiers (instance security hardening)
glide.ui.secure_cookies
Enable secure session cookies: Enable additional cookie security. If
Yes , strict session cookie validation is enforced.
glide.security.password_reset.uri
For mobile Password Reset , URL
that the user is taken to when the user clicks the Forgot
password? button.
glide.security.strict.updates
Double-check security on inbound transactions during form submission (rights are
always checked on form generation).
glide.security.strict.actions
Check conditions on UI actions before execution. Normally conditions are checked only
during form rendering.
glide.security.use_csrf_token
Enable usage of a secure token to identify and validate incoming requests. This token
is used to prevent cross-site request forgery attacks.
glide.ui.escape_html_list_field
Escape HTML for HTML fields in a list view.
glide.html.escape_script
Escape JavaScript tags in HTML fields.
glide.ui.forgetme
Remove the Remember me check box from the login page.
glide.smtp.auth
Authenticate with the SMTP server by the user name and password properties.Note: This property is deprecated.
glide.script.use.sandbox
Run client-generated scripts (AJAXEvaluate and query conditions) inside a
reduced-rights sandbox. If Yes , only those business rules and
script includes with the Client callable check box set to
Yes are available, and certain back-end API calls are
disallowed. For more information, see Script sandbox property .
glide.soap.strict_security
Enforce strict security on incoming SOAP requests. Requires incoming SOAP requests to
go through the security manager for table and field access and checks SOAP users for the
correct roles for using the web service.
glide.basicauth.required.wsdl
Require authorization for incoming WSDL requests. Note: If you choose not to require authorization for incoming WSDL requests, you
must modify the Access Control (ACL) rules to allow guest users to access the WSDL
content.
glide.basicauth.required.csv
Require basic authorization for incoming CSV requests.
glide.basicauth.required.excel
Require basic authorization for incoming Excel requests.
glide.basicauth.required.importprocessor
Require basic authorization for incoming import requests.
glide.basicauth.required.pdf
Require basic authorization for incoming PDF requests.
glide.basicauth.required.rss
Require basic authorization for incoming RSS requests.
glide.basicauth.required.scriptedprocessor
Require basic authorization for incoming script requests.
glide.basicauth.required.soap
Require basic authorization for incoming SOAP requests.
glide.basicauth.required.unl
Require basic authorization for incoming unload requests.
glide.basicauth.required.xml
Require basic authorization for incoming XML requests.
glide.basicauth.required.xsd
Require basic authorization for incoming XSD requests.
glide.cms.catalog_uri_relative
Enforce relative links from the URI parameter on /ess/catalog.do. If
Yes , only relative URLs are permitted through the
/ess/catalog.do page using the uri parameter. If
No , all URLs are permitted, which may permit linking to
external unauthorized content.
glide.set_x_frame_options
Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all
UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a
browser should be allowed to render a page in a <frame> or <iframe>. Sites can use
this property to avoid clickjacking attacks by ensuring that their content is not
embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header
glide.ui.attachment.download_mime_types
A list of comma-separated attachment mime types that do not render inline in the
browser. Prevents cross-site scripting attacks. For example,
text/html forces HTML files to be downloaded to the client as
attachments rather than viewed inline in the browser.
glide.security.groupby_acl_check
When this property is enabled, ACL checks for GroupBy operations are performed for the
group names based on the actual data from the groups.
glide.security.diag_txns_acl
If Yes , only the admin user or user from allowed IP address can
access stats.do , threads.do , and
replication.do .
glide.ui.security.codetag.allow_script
Allow embedded HTML (using [code] tags) to contain JavaScript tags.
glide.script.allow.ajaxevaluate
Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows
the client to send and execute arbitrary scripts on the server.
glide.login.autocomplete
Allow browsers to use auto-complete on password fields on login forms.
The following properties are defined in the sys_properties table, but are not visible on
the High Security Settings page.
com.glide.communications.httpclient.verify_hostname
Verify the hostname and certificate chain presented by remote SSL hosts. Protect
against Man-In-The-Middle (MITM) attacks.Note: This property overrides the com.glide.communications.trustmanager_trust_all
property.
glide.basicauth.required.schema
Require basic authentication for inbound table schema requests.
glide.security.csrf_previous.allow
Allow usage of an expired secure token to identify and validate incoming requests.
This token is used to prevent cross-site request forgery attacks.
glide.security.csrf_previous.time_limit
Time in seconds for a secure token to expire. Allows control over the length of time
that the previous CSRF token is valid. When the user session expires, the secure token
expires with it unless the glide.security.csrf_previous.allow
property is enabled and it is within the timeframe described by this property. This
token is used to prevent cross-site request forgery attacks.
Default value: 86400 seconds or 1 day
glide.security.csrf.strict.validation.mode
Enforces strict validation on CSRF tokens so that users cannot resubmit a request if
the CSRF token does not match.
