Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home Orlando Now Platform Administration Now Platform administration Platform security Instance Security Hardening Settings Security whitelisting X-Frame-Options: SAMEORIGIN

    X-Frame-Options: SAMEORIGIN

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    X-Frame-Options: SAMEORIGIN (instance security hardening)

    Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.

    Use the X-Frame-Options HTTP response header to indicate whether browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this function to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

    More information

    Attribute Description
    Property name glide.set_x_frame_options
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose To mitigate against ClickJacking attacks.
    Recommended value true
    Functional impact (Low) This remediation enforces the restriction for rendering a Now Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app.
    Security risk (Medium) The Same Origin policy enables you to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality.
    The policy validates the connection based on protocol, port, and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that enables access to resources/scripts from another domain when explicitly stated as a part of header value.
    • In this case, the X-Frame-Options header controls whether the Now Platform application can be rendered on the third-party website.
    • It reduces the sensitive exposure, because the property value, when set to SAMEORIGIN doesn't enable the rendering to happen.
    References

    Available system properties

    Configure iFrames

    https://community.servicenow.com/thread/170205

    https://community.servicenow.com/thread/177764

    To learn more about adding or creating a system property, see Add a system property.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      X-Frame-Options: SAMEORIGIN

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      X-Frame-Options: SAMEORIGIN (instance security hardening)

      Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.

      Use the X-Frame-Options HTTP response header to indicate whether browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this function to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

      More information

      Attribute Description
      Property name glide.set_x_frame_options
      Configuration type System Properties (/sys_properties_list.do)
      Configure in Instance Security Center Yes
      Purpose To mitigate against ClickJacking attacks.
      Recommended value true
      Functional impact (Low) This remediation enforces the restriction for rendering a Now Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app.
      Security risk (Medium) The Same Origin policy enables you to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality.
      The policy validates the connection based on protocol, port, and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that enables access to resources/scripts from another domain when explicitly stated as a part of header value.
      • In this case, the X-Frame-Options header controls whether the Now Platform application can be rendered on the third-party website.
      • It reduces the sensitive exposure, because the property value, when set to SAMEORIGIN doesn't enable the rendering to happen.
      References

      Available system properties

      Configure iFrames

      https://community.servicenow.com/thread/170205

      https://community.servicenow.com/thread/177764

      To learn more about adding or creating a system property, see Add a system property.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login