Security referral policy (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the com.glide.security.referrerpolicy property to control what referrer data should be sent in HTTP response headers when ServiceNow AI Platform pages sends requests for data. The Referrer-Policy value in an HTTP header controls what referrer information should be included with data requests.

    Security referral policy values

    Set the com.glide.security.referrerpolicy property to one of the following values.
    Value Description
    default ServiceNow AI Platform instance manages the level of information sent in referrer headers that is appropriate for the specific ServiceNow AI Platform page request.
    same-origin ServiceNow AI Platform pages send a full referrer URL within the instance and same domain, and no referrer header to outside origin.

    This setting ensures a good level of instance security.
    origin ServiceNow AI Platform pages send the base URL in the referrer header within the instance and same domain, and also externally.

    This setting ensures a good level of instance security.
    origin-when-cross-origin ServiceNow AI Platform pages send the whole URL in the referrer header within the instance and same domain, and send only the base URL externally.

    This setting ensures a good level of instance security.
    no-referrer-when-downgrade ServiceNow AI Platform pages send the origin, path, and querystring in the URL, as long as there is no downgrade in a security protocol.
    Note:
    This setting does not ensure a good level of instance security in the ServiceNow AI Platform and should not be used.
    Figure 1. Referrer Policy example and values summary
    Referrer Policy in HTTP reponse header Security referral policy values

    More information

    Attribute Description
    Property name com.glide.security.referrerpolicy
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center No
    Purpose Controls how much incoming data is sent via the "referrer" header when a ServiceNow AI Platform page sends a request for data.
    Recommended value default
    Functional ImpactIf set to 'default', the ServiceNow AI Platform instance manages the level of information sent in referrer headers.
    Security risk (High) Setting this property value to 'no-referrer-when-downgrade' does not ensure a good level of security for your instance.
    Reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

    https://developer.mozilla.org/en-US/docs/Glossary/origin

    To learn more about adding or creating a system property, see Add a system property.