Home Paris Now Platform Administration Now Platform administration Platform security High Security Settings

High Security Settings

High Security Settings refer to several security options available in your instance.

The High Security Settings module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, see Requesting High Security Settings activation. To learn more about this plugin, see High security plugin (instance security hardening) in Instance Security Hardening Settings. Properties for these types of high security settings are available:

Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
Default deny property: Provides a security manager property to control the default security behavior for table access.
Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
Property access controls: Allows security administrators to set the roles required to read and write properties.
Transaction and system logs: Are read only.
Access control rules: Control what data users can access and how they can access it.

Note: High Security Settings also automatically activates the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance.

Note:

Note: The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the Now Platform. To learn more about each of these properties, see Instance Security Hardening Settings.

To learn more about each of these properties, see Instance Security Hardening Settings.

There are two ways to set or change High Security Settings properties.

Navigate to System Security > High Security Settings.
Options on the High Security Properties page are Yes or No.
Navigate to the sys_properties.list and search for the property you want to set or change.
Options in the System Properties table [sys_properties.list] are true or false.

Property access control

Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:

read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.

Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them.

Notifications

Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.

High Security Settings properties

glide.ui.escape_text

Escape XML values at the parser level for the user interface. Prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal.

Default value: Yes
Instance Security Hardening Settings: Escape XML (instance security hardening)

glide.ui.escape_all_script

Forces all expressions within Jelly JavaScript

<script
              type="text/javascript">

tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.

Default value: Yes in new instances
Instance Security Hardening Settings: Escape Jelly (instance security hardening)

glide.ui.rotate_sessions

Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers.

Default value: Yes
If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this property to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider.
Instance Security Hardening Settings: Rotate HTTP session identifiers (instance security hardening)

glide.ui.secure_cookies

Enable secure session cookies: Enable additional cookie security. If Yes, strict session cookie validation is enforced.

Default value: Yes
Instance Security Hardening Settings: Secure session cookies (instance security hardening)

glide.security.password_reset.uri

For mobile Password Reset, URL that the user is taken to when the user clicks the Forgot password? button.

glide.security.strict.updates

Double-check security on inbound transactions during form submission (rights are always checked on form generation).

Default value: Yes
Instance Security Hardening Settings: Double check inbound transactions (instance security hardening)

glide.security.strict.actions

Check conditions on UI actions before execution. Normally conditions are checked only during form rendering.

Default value: Yes
Instance Security Hardening Settings: Check UI action conditions before execution (instance security hardening)

glide.security.use_csrf_token

Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.

Default value: Yes
Instance Security Hardening Settings: Anti-CSRF token (instance security hardening)

glide.ui.escape_html_list_field

Escape HTML for HTML fields in a list view.

Default value: Yes
Instance Security Hardening Settings: Escape HTML (instance security hardening)

glide.html.escape_script

Escape JavaScript tags in HTML fields.

Default value: Yes
Instance Security Hardening Settings: Escape JavaScript (instance security hardening)

glide.ui.forgetme

Remove the Remember me check box from the login page.

Default value: Yes
Instance Security Hardening Settings: Remove remember me (instance security hardening)

glide.smtp.auth

Authenticate with the SMTP server by the user name and password properties.

Default value: Yes
Instance Security Hardening Settings: SMTP authentication (deprecated)

Note: This property is deprecated.

glide.script.use.sandbox

Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If Yes, only those business rules and script includes with the Client callable check box set to Yes are available, and certain back-end API calls are disallowed. For more information, see Script sandbox property.

Default value: Yes
Instance Security Hardening Settings: Client generated scripts sandbox (instance security hardening)

glide.soap.strict_security

Enforce strict security on incoming SOAP requests. Requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.

Default value: Yes
Instance Security Hardening Settings: SOAP request strict security (instance security hardening)

glide.basicauth.required.wsdl

Require authorization for incoming WSDL requests.

Default value: Yes
Instance Security Hardening Settings: WSDL request authorization (instance security hardening)

Note: If you choose not to require authorization for incoming WSDL requests, you must modify the Access Control (ACL) rules to allow guest users to access the WSDL content.

glide.basicauth.required.csv

Require basic authorization for incoming CSV requests.

Default value: Yes
Instance Security Hardening Settings: CSV request authorization (instance security hardening)

glide.basicauth.required.excel

Require basic authorization for incoming Excel requests.

Default value: Yes
Instance Security Hardening Settings: Excel request authorization (instance security hardening)

glide.basicauth.required.importprocessor

Require basic authorization for incoming import requests.

Default value: Yes
Instance Security Hardening Settings: Import request authorization (instance security hardening)

glide.basicauth.required.pdf

Require basic authorization for incoming PDF requests.

Default value: Yes
Instance Security Hardening Settings: PDF request authorization (instance security hardening)

glide.basicauth.required.rss

Require basic authorization for incoming RSS requests.

Default value: Yes
Instance Security Hardening Settings: RSS request authorization (instance security hardening)

glide.basicauth.required.scriptedprocessor

Require basic authorization for incoming script requests.

Default value: Yes
Instance Security Hardening Settings: Script request authorization (instance security hardening)

glide.basicauth.required.soap

Require basic authorization for incoming SOAP requests.

Default value: Yes
Instance Security Hardening Settings: Basic auth: SOAP requests (instance security hardening)

glide.basicauth.required.unl

Require basic authorization for incoming unload requests.

Default value: Yes
Instance Security Hardening Settings: Unload request authorization (instance security hardening)

glide.basicauth.required.xml

Require basic authorization for incoming XML requests.

Default value: Yes
Instance Security Hardening Settings: XML request authorization (instance security hardening)

glide.basicauth.required.xsd

Require basic authorization for incoming XSD requests.

Default value: Yes
Instance Security Hardening Settings: XSD request authorization (instance security hardening)

glide.cms.catalog_uri_relative

Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content.

Default value: Yes
Instance Security Hardening Settings: Enforce relative links (instance security hardening)

glide.set_x_frame_options

Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header

Default value: Yes
Instance Security Hardening Settings: X-Frame-Options: SAMEORIGIN (instance security hardening)

glide.ui.attachment.download_mime_types

A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.

Default value: text/html,image/svg,image/svg+xml
Instance Security Hardening Settings: Force Download MIME types (instance security hardening)

glide.security.groupby_acl_check

When this property is enabled, ACL checks for GroupBy operations are performed for the group names based on the actual data from the groups.

Default value: Yes

glide.security.diag_txns_acl

If Yes, only the admin user or user from allowed IP address can access stats.do, threads.do, and replication.do.

Default value: No
Instance Security Hardening Settings: Performance monitoring (ACL) (instance security hardening)

glide.ui.security.codetag.allow_script

Allow embedded HTML (using [code] tags) to contain JavaScript tags.

Default value: Yes
Instance Security Hardening Settings: Allow embedded HTML code (instance security hardening)

glide.script.allow.ajaxevaluate

Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows the client to send and execute arbitrary scripts on the server.

Default value: No
Instance Security Hardening Settings: Enable AJAXEvaluate (instance security hardening)

glide.login.autocomplete

Allow browsers to use auto-complete on password fields on login forms.

Default value: No
Instance Security Hardening Settings: Password field auto-complete (instance security hardening)

The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page.

com.glide.communications.httpclient.verify_hostname

Verify the hostname and certificate chain presented by remote SSL hosts. Protect against Man-In-The-Middle (MITM) attacks.

Default value: true
Learn more: Set up Kubernetes spoke

Note: This property overrides the com.glide.communications.trustmanager_trust_all property.

glide.basicauth.required.schema

Require basic authentication for inbound table schema requests.

Default value: true

glide.security.csrf_previous.allow

Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.

Default value: false

glide.security.csrf_previous.time_limit

Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks.

Default value: 86400 seconds or 1 day

glide.security.csrf.strict.validation.mode

Enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.

Default value: false
Instance Security Hardening Settings: CSRF strict validation (instance security hardening)

Previous topic

Next topic

Release version

High Security Settings

High Security Settings refer to several security options available in your instance.

Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
Default deny property: Provides a security manager property to control the default security behavior for table access.
Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
Property access controls: Allows security administrators to set the roles required to read and write properties.
Transaction and system logs: Are read only.
Access control rules: Control what data users can access and how they can access it.

Note:

To learn more about each of these properties, see Instance Security Hardening Settings.

There are two ways to set or change High Security Settings properties.

Navigate to System Security > High Security Settings.
Options on the High Security Properties page are Yes or No.
Navigate to the sys_properties.list and search for the property you want to set or change.
Options in the System Properties table [sys_properties.list] are true or false.

Property access control

Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:

read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.

Notifications

Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.

High Security Settings properties

glide.ui.escape_text

Escape XML values at the parser level for the user interface. Prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal.

Default value: Yes
Instance Security Hardening Settings: Escape XML (instance security hardening)

glide.ui.escape_all_script

Forces all expressions within Jelly JavaScript

<script
              type="text/javascript">

Default value: Yes in new instances
Instance Security Hardening Settings: Escape Jelly (instance security hardening)

glide.ui.rotate_sessions

Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers.

Default value: Yes
If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this property to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider.
Instance Security Hardening Settings: Rotate HTTP session identifiers (instance security hardening)

glide.ui.secure_cookies

Enable secure session cookies: Enable additional cookie security. If Yes, strict session cookie validation is enforced.

Default value: Yes
Instance Security Hardening Settings: Secure session cookies (instance security hardening)

glide.security.password_reset.uri

For mobile Password Reset, URL that the user is taken to when the user clicks the Forgot password? button.

glide.security.strict.updates

Double-check security on inbound transactions during form submission (rights are always checked on form generation).

Default value: Yes
Instance Security Hardening Settings: Double check inbound transactions (instance security hardening)

glide.security.strict.actions

Check conditions on UI actions before execution. Normally conditions are checked only during form rendering.

Default value: Yes
Instance Security Hardening Settings: Check UI action conditions before execution (instance security hardening)

glide.security.use_csrf_token

Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.

Default value: Yes
Instance Security Hardening Settings: Anti-CSRF token (instance security hardening)

glide.ui.escape_html_list_field

Escape HTML for HTML fields in a list view.

Default value: Yes
Instance Security Hardening Settings: Escape HTML (instance security hardening)

glide.html.escape_script

Escape JavaScript tags in HTML fields.

Default value: Yes
Instance Security Hardening Settings: Escape JavaScript (instance security hardening)

glide.ui.forgetme

Remove the Remember me check box from the login page.

Default value: Yes
Instance Security Hardening Settings: Remove remember me (instance security hardening)

glide.smtp.auth

Authenticate with the SMTP server by the user name and password properties.

Default value: Yes
Instance Security Hardening Settings: SMTP authentication (deprecated)

Note: This property is deprecated.

glide.script.use.sandbox

Default value: Yes
Instance Security Hardening Settings: Client generated scripts sandbox (instance security hardening)

glide.soap.strict_security

Default value: Yes
Instance Security Hardening Settings: SOAP request strict security (instance security hardening)

glide.basicauth.required.wsdl

Require authorization for incoming WSDL requests.

Default value: Yes
Instance Security Hardening Settings: WSDL request authorization (instance security hardening)

Note: If you choose not to require authorization for incoming WSDL requests, you must modify the Access Control (ACL) rules to allow guest users to access the WSDL content.

glide.basicauth.required.csv

Require basic authorization for incoming CSV requests.

Default value: Yes
Instance Security Hardening Settings: CSV request authorization (instance security hardening)

glide.basicauth.required.excel

Require basic authorization for incoming Excel requests.

Default value: Yes
Instance Security Hardening Settings: Excel request authorization (instance security hardening)

glide.basicauth.required.importprocessor

Require basic authorization for incoming import requests.

Default value: Yes
Instance Security Hardening Settings: Import request authorization (instance security hardening)

glide.basicauth.required.pdf

Require basic authorization for incoming PDF requests.

Default value: Yes
Instance Security Hardening Settings: PDF request authorization (instance security hardening)

glide.basicauth.required.rss

Require basic authorization for incoming RSS requests.

Default value: Yes
Instance Security Hardening Settings: RSS request authorization (instance security hardening)

glide.basicauth.required.scriptedprocessor

Require basic authorization for incoming script requests.

Default value: Yes
Instance Security Hardening Settings: Script request authorization (instance security hardening)

glide.basicauth.required.soap

Require basic authorization for incoming SOAP requests.

Default value: Yes
Instance Security Hardening Settings: Basic auth: SOAP requests (instance security hardening)

glide.basicauth.required.unl

Require basic authorization for incoming unload requests.

Default value: Yes
Instance Security Hardening Settings: Unload request authorization (instance security hardening)

glide.basicauth.required.xml

Require basic authorization for incoming XML requests.

Default value: Yes
Instance Security Hardening Settings: XML request authorization (instance security hardening)

glide.basicauth.required.xsd

Require basic authorization for incoming XSD requests.

Default value: Yes
Instance Security Hardening Settings: XSD request authorization (instance security hardening)

glide.cms.catalog_uri_relative

Default value: Yes
Instance Security Hardening Settings: Enforce relative links (instance security hardening)

glide.set_x_frame_options

Default value: Yes
Instance Security Hardening Settings: X-Frame-Options: SAMEORIGIN (instance security hardening)

glide.ui.attachment.download_mime_types

Default value: text/html,image/svg,image/svg+xml
Instance Security Hardening Settings: Force Download MIME types (instance security hardening)

glide.security.groupby_acl_check

When this property is enabled, ACL checks for GroupBy operations are performed for the group names based on the actual data from the groups.

Default value: Yes

glide.security.diag_txns_acl

If Yes, only the admin user or user from allowed IP address can access stats.do, threads.do, and replication.do.

Default value: No
Instance Security Hardening Settings: Performance monitoring (ACL) (instance security hardening)

glide.ui.security.codetag.allow_script

Allow embedded HTML (using [code] tags) to contain JavaScript tags.

Default value: Yes
Instance Security Hardening Settings: Allow embedded HTML code (instance security hardening)

glide.script.allow.ajaxevaluate

Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows the client to send and execute arbitrary scripts on the server.

Default value: No
Instance Security Hardening Settings: Enable AJAXEvaluate (instance security hardening)

glide.login.autocomplete

Allow browsers to use auto-complete on password fields on login forms.

Default value: No
Instance Security Hardening Settings: Password field auto-complete (instance security hardening)

The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page.

com.glide.communications.httpclient.verify_hostname

Verify the hostname and certificate chain presented by remote SSL hosts. Protect against Man-In-The-Middle (MITM) attacks.

Default value: true
Learn more: Set up Kubernetes spoke

Note: This property overrides the com.glide.communications.trustmanager_trust_all property.

glide.basicauth.required.schema

Require basic authentication for inbound table schema requests.

Default value: true

glide.security.csrf_previous.allow

Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.

Default value: false

glide.security.csrf_previous.time_limit

Default value: 86400 seconds or 1 day

glide.security.csrf.strict.validation.mode

Enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.

Default value: false
Instance Security Hardening Settings: CSRF strict validation (instance security hardening)

How search works:

Topics are ranked in search results by how closely they match your search terms

High Security Settings

High Security Settings

Property access control

Notifications

High Security Settings properties

On this page

High Security Settings

High Security Settings

Property access control

Notifications

High Security Settings properties

Log in to personalize your search results and subscribe to topics