X-Frame-Options: SAMEORIGIN (instance security hardening)

Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.

Use the X-Frame-Options HTTP response header to indicate whether browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this function to avoid clickjacking attacks by ensuring that their content is not embedded into other sites.

More information


Attribute	Description
Property name	glide.set_x_frame_options
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	To mitigate against ClickJacking attacks.
Recommended value	true
Functional impact	(Low) This remediation enforces the restriction for rendering a Now Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app.
Security risk	(Medium) The Same Origin policy enables you to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality. The policy validates the connection based on protocol, port, and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that enables access to resources/scripts from another domain when explicitly stated as a part of header value. In this case, the X-Frame-Options header controls whether the Now Platform application can be rendered on the third-party website. It reduces the sensitive exposure, because the property value, when set to SAMEORIGIN doesn't enable the rendering to happen.
References	Available system properties Configure iFrames https://community.servicenow.com/thread/170205 https://community.servicenow.com/thread/177764

To learn more about adding or creating a system property, see Add a system property.

X-Frame-Options: SAMEORIGIN (instance security hardening)

Use the glide.set_x_frame_options property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages.

More information


Attribute	Description
Property name	glide.set_x_frame_options
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	To mitigate against ClickJacking attacks.
Recommended value	true
Functional impact	(Low) This remediation enforces the restriction for rendering a Now Platform application in a third-party application in the form of an iFrame. If you have such an integration, the application wouldn't render in the customized third-party app.
Security risk	(Medium) The Same Origin policy enables you to restrict a domain from retrieving a script or a resource from another domains. All modern browsers support this functionality. The policy validates the connection based on protocol, port, and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that enables access to resources/scripts from another domain when explicitly stated as a part of header value. In this case, the X-Frame-Options header controls whether the Now Platform application can be rendered on the third-party website. It reduces the sensitive exposure, because the property value, when set to SAMEORIGIN doesn't enable the rendering to happen.
References	Available system properties Configure iFrames https://community.servicenow.com/thread/170205 https://community.servicenow.com/thread/177764

To learn more about adding or creating a system property, see Add a system property.

How search works:

Topics are ranked in search results by how closely they match your search terms

X-Frame-Options: SAMEORIGIN

X-Frame-Options: SAMEORIGIN (instance security hardening)

More information

On this page

X-Frame-Options: SAMEORIGIN

X-Frame-Options: SAMEORIGIN (instance security hardening)

More information

Log in to personalize your search results and subscribe to topics