Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Now Platform administration
Table of Contents
Choose your release version
    Home Paris Now Platform Administration Now Platform administration Platform security High Security Settings

    High Security Settings

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    High Security Settings

    High Security Settings refer to several security options available in your instance.

    The High Security Settings module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, see Requesting High Security Settings activation. To learn more about this plugin, see High security plugin (instance security hardening) in Instance Security Hardening Settings. Properties for these types of high security settings are available:

    • Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
    • Default deny property: Provides a security manager property to control the default security behavior for table access.
    • Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
    • Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
    • Property access controls: Allows security administrators to set the roles required to read and write properties.
    • Transaction and system logs: Are read only.
    • Access control rules: Control what data users can access and how they can access it.
    Note: High Security Settings also automatically activates the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance.
    Note:
    Note: The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the Now Platform. To learn more about each of these properties, see Instance Security Hardening Settings.
    To learn more about each of these properties, see Instance Security Hardening Settings.
    There are two ways to set or change High Security Settings properties.
    • Navigate to System Security > High Security Settings.

      Options on the High Security Properties page are Yes or No.

    • Navigate to the sys_properties.list and search for the property you want to set or change.

      Options in the System Properties table [sys_properties.list] are true or false.

    Property access control

    Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:

    • read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
    • write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.

    Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them.

    Notifications

    Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.

    Figure 1. Security Warning notification
    Security Warning notification

    High Security Settings properties

    glide.ui.escape_text
    Escape XML values at the parser level for the user interface. Prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal.
    • Default value: Yes
    • Instance Security Hardening Settings: Escape XML (instance security hardening)
    glide.ui.escape_all_script
    Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.
    • Default value: Yes in new instances
    • Instance Security Hardening Settings: Escape Jelly (instance security hardening)
    glide.ui.rotate_sessions
    Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers.
    • Default value: Yes

      If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this property to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider.

    • Instance Security Hardening Settings: Rotate HTTP session identifiers (instance security hardening)
    glide.ui.secure_cookies
    Enable secure session cookies: Enable additional cookie security. If Yes, strict session cookie validation is enforced.
    • Default value: Yes
    • Instance Security Hardening Settings: Secure session cookies (instance security hardening)
    glide.security.password_reset.uri
    For mobile Password Reset, URL that the user is taken to when the user clicks the Forgot password? button.
    glide.security.strict.updates
    Double-check security on inbound transactions during form submission (rights are always checked on form generation).
    • Default value: Yes
    • Instance Security Hardening Settings: Double check inbound transactions (instance security hardening)
    glide.security.strict.actions
    Check conditions on UI actions before execution. Normally conditions are checked only during form rendering.
    • Default value: Yes
    • Instance Security Hardening Settings: Check UI action conditions before execution (instance security hardening)
    glide.security.use_csrf_token
    Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.
    • Default value: Yes
    • Instance Security Hardening Settings: Anti-CSRF token (instance security hardening)
    glide.ui.escape_html_list_field
    Escape HTML for HTML fields in a list view.
    • Default value: Yes
    • Instance Security Hardening Settings: Escape HTML (instance security hardening)
    glide.html.escape_script
    Escape JavaScript tags in HTML fields.
    • Default value: Yes
    • Instance Security Hardening Settings: Escape JavaScript (instance security hardening)
    glide.ui.forgetme
    Remove the Remember me check box from the login page.
    • Default value: Yes
    • Instance Security Hardening Settings: Remove remember me (instance security hardening)
    glide.smtp.auth
    Authenticate with the SMTP server by the user name and password properties.
    • Default value: Yes
    • Instance Security Hardening Settings: SMTP authentication (deprecated)
    Note: This property is deprecated.
    glide.script.use.sandbox
    Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If Yes, only those business rules and script includes with the Client callable check box set to Yes are available, and certain back-end API calls are disallowed. For more information, see Script sandbox property.
    • Default value: Yes
    • Instance Security Hardening Settings: Client generated scripts sandbox (instance security hardening)
    glide.soap.strict_security
    Enforce strict security on incoming SOAP requests. Requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.
    • Default value: Yes
    • Instance Security Hardening Settings: SOAP request strict security (instance security hardening)
    glide.basicauth.required.wsdl
    Require authorization for incoming WSDL requests.
    • Default value: Yes
    • Instance Security Hardening Settings: WSDL request authorization (instance security hardening)
    Note: If you choose not to require authorization for incoming WSDL requests, you must modify the Access Control (ACL) rules to allow guest users to access the WSDL content.
    glide.basicauth.required.csv
    Require basic authorization for incoming CSV requests.
    • Default value: Yes
    • Instance Security Hardening Settings: CSV request authorization (instance security hardening)
    glide.basicauth.required.excel
    Require basic authorization for incoming Excel requests.
    • Default value: Yes
    • Instance Security Hardening Settings: Excel request authorization (instance security hardening)
    glide.basicauth.required.importprocessor
    Require basic authorization for incoming import requests.
    • Default value: Yes
    • Instance Security Hardening Settings: Import request authorization (instance security hardening)
    glide.basicauth.required.pdf
    Require basic authorization for incoming PDF requests.
    • Default value: Yes
    • Instance Security Hardening Settings: PDF request authorization (instance security hardening)
    glide.basicauth.required.rss
    Require basic authorization for incoming RSS requests.
    • Default value: Yes
    • Instance Security Hardening Settings: RSS request authorization (instance security hardening)
    glide.basicauth.required.scriptedprocessor
    Require basic authorization for incoming script requests.
    • Default value: Yes
    • Instance Security Hardening Settings: Script request authorization (instance security hardening)
    glide.basicauth.required.soap
    Require basic authorization for incoming SOAP requests.
    • Default value: Yes
    • Instance Security Hardening Settings: Basic auth: SOAP requests (instance security hardening)
    glide.basicauth.required.unl
    Require basic authorization for incoming unload requests.
    • Default value: Yes
    • Instance Security Hardening Settings: Unload request authorization (instance security hardening)
    glide.basicauth.required.xml
    Require basic authorization for incoming XML requests.
    • Default value: Yes
    • Instance Security Hardening Settings: XML request authorization (instance security hardening)
    glide.basicauth.required.xsd
    Require basic authorization for incoming XSD requests.
    • Default value: Yes
    • Instance Security Hardening Settings: XSD request authorization (instance security hardening)
    glide.cms.catalog_uri_relative
    Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content.
    • Default value: Yes
    • Instance Security Hardening Settings: Enforce relative links (instance security hardening)
    glide.set_x_frame_options
    Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header
    • Default value: Yes
    • Instance Security Hardening Settings: X-Frame-Options: SAMEORIGIN (instance security hardening)
    glide.ui.attachment.download_mime_types
    A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.
    • Default value: text/html,image/svg,image/svg+xml
    • Instance Security Hardening Settings: Force Download MIME types (instance security hardening)
    glide.security.groupby_acl_check
    When this property is enabled, ACL checks for GroupBy operations are performed for the group names based on the actual data from the groups.
    • Default value: Yes
    glide.security.diag_txns_acl
    If Yes, only the admin user or user from allowed IP address can access stats.do, threads.do, and replication.do.
    • Default value: No
    • Instance Security Hardening Settings: Performance monitoring (ACL) (instance security hardening)
    glide.ui.security.codetag.allow_script
    Allow embedded HTML (using [code] tags) to contain JavaScript tags.
    • Default value: Yes
    • Instance Security Hardening Settings: Allow embedded HTML code (instance security hardening)
    glide.script.allow.ajaxevaluate
    Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows the client to send and execute arbitrary scripts on the server.
    • Default value: No
    • Instance Security Hardening Settings: Enable AJAXEvaluate (instance security hardening)
    glide.login.autocomplete
    Allow browsers to use auto-complete on password fields on login forms.
    • Default value: No
    • Instance Security Hardening Settings: Password field auto-complete (instance security hardening)

    The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page.

    com.glide.communications.httpclient.verify_hostname
    Verify the hostname and certificate chain presented by remote SSL hosts. Protect against Man-In-The-Middle (MITM) attacks.
    • Default value: true
    • Learn more: Set up Kubernetes spoke
    Note: This property overrides the com.glide.communications.trustmanager_trust_all property.
    glide.basicauth.required.schema
    Require basic authentication for inbound table schema requests.
    • Default value: true
    glide.security.csrf_previous.allow
    Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.
    • Default value: false
    glide.security.csrf_previous.time_limit
    Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks.
    • Default value: 86400 seconds or 1 day
    glide.security.csrf.strict.validation.mode
    Enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.
    • Default value: false
    • Instance Security Hardening Settings: CSRF strict validation (instance security hardening)
    • Script sandbox property

      Enable the script sandbox property (glide.script.use.sandbox) to run client generated scripts inside a sandbox that has restricted rights.

    • Request High Security Settings activation

      The High Security Settings plugin is active by default on all new instances. If it is not active on your instance, you can request the plugin.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      High Security Settings

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      High Security Settings

      High Security Settings refer to several security options available in your instance.

      The High Security Settings module is activated with the High Security Settings plugin, which is active by default on new instances. If High Security Settings are not active on your instance, see Requesting High Security Settings activation. To learn more about this plugin, see High security plugin (instance security hardening) in Instance Security Hardening Settings. Properties for these types of high security settings are available:

      • Default property values: To harden security on your platform by centralizing all critical security settings to one location for management and auditing.
      • Default deny property: Provides a security manager property to control the default security behavior for table access.
      • Security Administrator role: Provides a role to prevent modification of key security settings and resources. The Security Administrator role is not inherited by the admin role and must be explicitly assigned.
      • Elevated privileges: Allows users with the security admin role to operate in the context of a normal user and elevate to higher security role when needed.
      • Property access controls: Allows security administrators to set the roles required to read and write properties.
      • Transaction and system logs: Are read only.
      • Access control rules: Control what data users can access and how they can access it.
      Note: High Security Settings also automatically activates the Contextual Security plugin, if it is not already active. In addition, Platform Security Settings - High delivers settings and features in the context of increasing the security of your instance.
      Note:
      Note: The Instance Security Hardening Settings content contains detailed descriptions, and compliance values, for the security-related system properties and plugins in the Now Platform. To learn more about each of these properties, see Instance Security Hardening Settings.
      To learn more about each of these properties, see Instance Security Hardening Settings.
      There are two ways to set or change High Security Settings properties.
      • Navigate to System Security > High Security Settings.

        Options on the High Security Properties page are Yes or No.

      • Navigate to the sys_properties.list and search for the property you want to set or change.

        Options in the System Properties table [sys_properties.list] are true or false.

      Property access control

      Two additional columns are created in the Properties [sys_properties] table when High Security Settings are active:

      • read_roles: A comma-separated list of role names that are allowed to read all fields of this property.
      • write_roles: A comma-separated list of role names that are allowed to write/modify all fields of this property.

      Properties listed in the Properties table have read_roles of admin, and write_roles of security_admin. Users with the admin role can view and read the property values, but must elevate to the security_admin role to modify them.

      Notifications

      Activation of high security settings also activates security warning messages. The following is an example of a message that appears after an approval.

      Figure 1. Security Warning notification
      Security Warning notification

      High Security Settings properties

      glide.ui.escape_text
      Escape XML values at the parser level for the user interface. Prevents reflected and stored cross-site scripting attacks. This property is not applicable in Service Portal.
      • Default value: Yes
      • Instance Security Hardening Settings: Escape XML (instance security hardening)
      glide.ui.escape_all_script
      Forces all expressions within Jelly JavaScript <script type="text/javascript"> tags to be escaped by default. Enforces escaping only if the type attribute in the <script> tag is empty, or if the value is text/javascript, text/ecmascript, application/javascript, application/ecmascript, or application/x-javascript.
      • Default value: Yes in new instances
      • Instance Security Hardening Settings: Escape Jelly (instance security hardening)
      glide.ui.rotate_sessions
      Rotate HTTP session identifiers to reduce security vulnerabilities. See: http://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers.
      • Default value: Yes

        If you are using the SAML 2.0 plugin for Single Sign-on authentication, set this property to No. Otherwise, it interferes with the session information sharing that takes place between the instance and the Identity Provider.

      • Instance Security Hardening Settings: Rotate HTTP session identifiers (instance security hardening)
      glide.ui.secure_cookies
      Enable secure session cookies: Enable additional cookie security. If Yes, strict session cookie validation is enforced.
      • Default value: Yes
      • Instance Security Hardening Settings: Secure session cookies (instance security hardening)
      glide.security.password_reset.uri
      For mobile Password Reset, URL that the user is taken to when the user clicks the Forgot password? button.
      glide.security.strict.updates
      Double-check security on inbound transactions during form submission (rights are always checked on form generation).
      • Default value: Yes
      • Instance Security Hardening Settings: Double check inbound transactions (instance security hardening)
      glide.security.strict.actions
      Check conditions on UI actions before execution. Normally conditions are checked only during form rendering.
      • Default value: Yes
      • Instance Security Hardening Settings: Check UI action conditions before execution (instance security hardening)
      glide.security.use_csrf_token
      Enable usage of a secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.
      • Default value: Yes
      • Instance Security Hardening Settings: Anti-CSRF token (instance security hardening)
      glide.ui.escape_html_list_field
      Escape HTML for HTML fields in a list view.
      • Default value: Yes
      • Instance Security Hardening Settings: Escape HTML (instance security hardening)
      glide.html.escape_script
      Escape JavaScript tags in HTML fields.
      • Default value: Yes
      • Instance Security Hardening Settings: Escape JavaScript (instance security hardening)
      glide.ui.forgetme
      Remove the Remember me check box from the login page.
      • Default value: Yes
      • Instance Security Hardening Settings: Remove remember me (instance security hardening)
      glide.smtp.auth
      Authenticate with the SMTP server by the user name and password properties.
      • Default value: Yes
      • Instance Security Hardening Settings: SMTP authentication (deprecated)
      Note: This property is deprecated.
      glide.script.use.sandbox
      Run client-generated scripts (AJAXEvaluate and query conditions) inside a reduced-rights sandbox. If Yes, only those business rules and script includes with the Client callable check box set to Yes are available, and certain back-end API calls are disallowed. For more information, see Script sandbox property.
      • Default value: Yes
      • Instance Security Hardening Settings: Client generated scripts sandbox (instance security hardening)
      glide.soap.strict_security
      Enforce strict security on incoming SOAP requests. Requires incoming SOAP requests to go through the security manager for table and field access and checks SOAP users for the correct roles for using the web service.
      • Default value: Yes
      • Instance Security Hardening Settings: SOAP request strict security (instance security hardening)
      glide.basicauth.required.wsdl
      Require authorization for incoming WSDL requests.
      • Default value: Yes
      • Instance Security Hardening Settings: WSDL request authorization (instance security hardening)
      Note: If you choose not to require authorization for incoming WSDL requests, you must modify the Access Control (ACL) rules to allow guest users to access the WSDL content.
      glide.basicauth.required.csv
      Require basic authorization for incoming CSV requests.
      • Default value: Yes
      • Instance Security Hardening Settings: CSV request authorization (instance security hardening)
      glide.basicauth.required.excel
      Require basic authorization for incoming Excel requests.
      • Default value: Yes
      • Instance Security Hardening Settings: Excel request authorization (instance security hardening)
      glide.basicauth.required.importprocessor
      Require basic authorization for incoming import requests.
      • Default value: Yes
      • Instance Security Hardening Settings: Import request authorization (instance security hardening)
      glide.basicauth.required.pdf
      Require basic authorization for incoming PDF requests.
      • Default value: Yes
      • Instance Security Hardening Settings: PDF request authorization (instance security hardening)
      glide.basicauth.required.rss
      Require basic authorization for incoming RSS requests.
      • Default value: Yes
      • Instance Security Hardening Settings: RSS request authorization (instance security hardening)
      glide.basicauth.required.scriptedprocessor
      Require basic authorization for incoming script requests.
      • Default value: Yes
      • Instance Security Hardening Settings: Script request authorization (instance security hardening)
      glide.basicauth.required.soap
      Require basic authorization for incoming SOAP requests.
      • Default value: Yes
      • Instance Security Hardening Settings: Basic auth: SOAP requests (instance security hardening)
      glide.basicauth.required.unl
      Require basic authorization for incoming unload requests.
      • Default value: Yes
      • Instance Security Hardening Settings: Unload request authorization (instance security hardening)
      glide.basicauth.required.xml
      Require basic authorization for incoming XML requests.
      • Default value: Yes
      • Instance Security Hardening Settings: XML request authorization (instance security hardening)
      glide.basicauth.required.xsd
      Require basic authorization for incoming XSD requests.
      • Default value: Yes
      • Instance Security Hardening Settings: XSD request authorization (instance security hardening)
      glide.cms.catalog_uri_relative
      Enforce relative links from the URI parameter on /ess/catalog.do. If Yes, only relative URLs are permitted through the /ess/catalog.do page using the uri parameter. If No, all URLs are permitted, which may permit linking to external unauthorized content.
      • Default value: Yes
      • Instance Security Hardening Settings: Enforce relative links (instance security hardening)
      glide.set_x_frame_options
      Enable this property to set the X-Frame-Options response header to SAMEORIGIN for all UI pages. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this property to avoid clickjacking attacks by ensuring that their content is not embedded into other sites. https://developer.mozilla.org/en/the_x-frame-options_response_header
      • Default value: Yes
      • Instance Security Hardening Settings: X-Frame-Options: SAMEORIGIN (instance security hardening)
      glide.ui.attachment.download_mime_types
      A list of comma-separated attachment mime types that do not render inline in the browser. Prevents cross-site scripting attacks. For example, text/html forces HTML files to be downloaded to the client as attachments rather than viewed inline in the browser.
      • Default value: text/html,image/svg,image/svg+xml
      • Instance Security Hardening Settings: Force Download MIME types (instance security hardening)
      glide.security.groupby_acl_check
      When this property is enabled, ACL checks for GroupBy operations are performed for the group names based on the actual data from the groups.
      • Default value: Yes
      glide.security.diag_txns_acl
      If Yes, only the admin user or user from allowed IP address can access stats.do, threads.do, and replication.do.
      • Default value: No
      • Instance Security Hardening Settings: Performance monitoring (ACL) (instance security hardening)
      glide.ui.security.codetag.allow_script
      Allow embedded HTML (using [code] tags) to contain JavaScript tags.
      • Default value: Yes
      • Instance Security Hardening Settings: Allow embedded HTML code (instance security hardening)
      glide.script.allow.ajaxevaluate
      Enable the AJAXEvaluate processor. The AJAXEvaluate API call allows the client to send and execute arbitrary scripts on the server.
      • Default value: No
      • Instance Security Hardening Settings: Enable AJAXEvaluate (instance security hardening)
      glide.login.autocomplete
      Allow browsers to use auto-complete on password fields on login forms.
      • Default value: No
      • Instance Security Hardening Settings: Password field auto-complete (instance security hardening)

      The following properties are defined in the sys_properties table, but are not visible on the High Security Settings page.

      com.glide.communications.httpclient.verify_hostname
      Verify the hostname and certificate chain presented by remote SSL hosts. Protect against Man-In-The-Middle (MITM) attacks.
      • Default value: true
      • Learn more: Set up Kubernetes spoke
      Note: This property overrides the com.glide.communications.trustmanager_trust_all property.
      glide.basicauth.required.schema
      Require basic authentication for inbound table schema requests.
      • Default value: true
      glide.security.csrf_previous.allow
      Allow usage of an expired secure token to identify and validate incoming requests. This token is used to prevent cross-site request forgery attacks.
      • Default value: false
      glide.security.csrf_previous.time_limit
      Time in seconds for a secure token to expire. Allows control over the length of time that the previous CSRF token is valid. When the user session expires, the secure token expires with it unless the glide.security.csrf_previous.allow property is enabled and it is within the timeframe described by this property. This token is used to prevent cross-site request forgery attacks.
      • Default value: 86400 seconds or 1 day
      glide.security.csrf.strict.validation.mode
      Enforces strict validation on CSRF tokens so that users cannot resubmit a request if the CSRF token does not match.
      • Default value: false
      • Instance Security Hardening Settings: CSRF strict validation (instance security hardening)
      • Script sandbox property

        Enable the script sandbox property (glide.script.use.sandbox) to run client generated scripts inside a sandbox that has restricted rights.

      • Request High Security Settings activation

        The High Security Settings plugin is active by default on all new instances. If it is not active on your instance, you can request the plugin.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login