Property name |
glide.set_x_frame_options |
Configuration type |
System Properties (/sys_properties_list.do) |
Configure in Instance Security Center |
Yes |
Purpose |
To mitigate against ClickJacking attacks. |
Recommended value |
true |
Functional impact |
(Low) This remediation enforces the restriction for rendering a Now Platform application in a third-party application in the form of
an iFrame. If you have such an integration, the application wouldn't render in the
customized third-party app. |
Security risk |
(Medium) The Same Origin policy enables you to restrict a domain from
retrieving a script or a resource from another domains. All modern browsers support
this functionality. The policy validates the connection based on protocol, port,
and host. CORS (Cross Origin Request) is a modification to Same Origin Policy that
enables access to resources/scripts from another domain when explicitly stated as
a part of header value.
- In this case, the X-Frame-Options header controls whether the Now Platform application can be rendered on the third-party website.
- It reduces the sensitive exposure, because the property value, when set to
SAMEORIGIN doesn't enable the rendering to
happen.
|
References |
Available system properties
Configure iFrames
https://community.servicenow.com/thread/170205
https://community.servicenow.com/thread/177764
|