Cookies - HTTP Only should be enabled
Security
High
System property
Rule ID
SN-0191Impact
If this property is not set to "true", Javascript code can manipulate cookies set by ServiceNow. This opens up some cross-site scripting attack vectors.
Remediation
Set the system property "glide.cookies.http_only" to true. This reduces (but does not eliminate) the vulnerability to cross-site scripting attacks.
Time to fix
15 min
References
This rule is linked to Common Weakness Enumeration CWE-1004 Sensitive Cookie Without HttpOnly Flag.
Related best practice
This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Cookies - HTTP Only .
HTTPOnly attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via a client side script such as JavaScript. It does not eliminate cross site scripting risks but does eliminate some exploitation vectors. When this property is set to true HTTPOnly attribute is enabled for sensitive cookies.
| Cookies - HTTP Only | |
|---|---|
| Property Name | glide.cookies.http_only |
| Configuration Type | System Properties (/sys_properties_list.do) |
| Purpose | To mitigate the risk of client side script accessing the protected cookie. |
| Requirement | Mandatory |
| Recommended Value | True |
| Default Behavior | Set to true |
| Revertible behavior | N/A |
| Role required | Admin |
| Release Version | Berlin |
| Functional Impact | (Low) This remediation adds an extra flag in the form of "HTTPOnly" on the session cookies and thus protecting the session cookies from being stolen. If the customer has build custom functionality that requires JavaScript to access the user's cookie, that functionality will break. Under normal circumstances this should not be the case. The platform handles session management and there shouldn't be a reason for a custom script to be accessing user's cookies. |
| Security Risk | (Medium) Session Cookies on the application authenticate an end user and provide implicit access permissions on the application, and thus there is a need to secure them from being stolen or exported. HTTP Only flags would protect the session cookies from being stolen by Javascript injections or Cross Site scripting vulnerabilities. |
| Workaround | No alternate method available. |
How to configure
- Navigate to /sys_properties_list.do.
- Search for the property.
- Assign the recommended value as shown in the screenshot > Click Update.