Cookies HTTP only (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.cookies.http_only property to enable the HTTPOnly attribute for sensitive cookies.

    Use the HTTPOnly attribute to prevent attacks, such as cross-site scripting, because it doesn't allow access to the cookie using a client-side script, such as JavaScript. It does not eliminate cross site scripting risks but does eliminate some exploitation vectors.

    More information

    Attribute Description
    Property name glide.cookies.http_only
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose To mitigate the risk of client-side script accessing the protected cookie.
    Recommended value true
    Functional ImpactThis remediation adds an extra HTTPOnly flag in on session cookies, thus protecting them from being stolen.
    • If you have custom functionality that requires JavaScript to access the user's cookie, it breaks that functionality. It should not be the case under normal circumstances.
    • The ServiceNow AI Platform handles session management and there shouldn't be a reason for a custom script to access the user's cookies.
    Security risk (Medium) Session cookies in the application authenticate an end user and provide implicit access permissions on the application. That means there is a need to secure them from being stolen or exported. HTTP Only flags protect the session cookies from JavaScript injections or cross site scripting vulnerabilities stealing them.
    References Available system properties

    To learn more about adding or creating a system property, see Add a system property.