Cookies - HTTP Only should be enabled

Impact area




Affected element

System property

Rule ID



If this property is not set to "true", Javascript code can manipulate cookies set by ServiceNow. This opens up some cross-site scripting attack vectors.


Set the system property "glide.cookies.http_only" to true. This reduces (but does not eliminate) the vulnerability to cross-site scripting attacks.

Time to fix

15 min


This rule is linked to Common Weakness Enumeration CWE-1004 Sensitive Cookie Without HttpOnly Flag.

Related best practice

This article is based on the ServiceNow support article. See the original article on the ServiceNow support site: ServiceNow HI: Cookies - HTTP Only . 

HTTPOnly attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via a client side script such as JavaScript. It does not eliminate cross site scripting risks but does eliminate some exploitation vectors. When this property is set to true HTTPOnly attribute is enabled for sensitive cookies.

Cookies - HTTP Only
Property Nameglide.cookies.http_only
Configuration TypeSystem Properties (/
PurposeTo mitigate the risk of client side script accessing the protected cookie.
Recommended ValueTrue
Default BehaviorSet to true
Revertible behaviorN/A
Role requiredAdmin 
Release VersionBerlin
Functional Impact

(Low) This remediation adds an extra flag in the form of "HTTPOnly" on the session cookies and thus protecting the session cookies from being stolen. If the customer has build custom functionality that requires JavaScript to access the user's cookie, that functionality will break. Under normal circumstances this should not be the case. The platform handles session management and there shouldn't be a reason for a custom script to be accessing user's cookies.

Security Risk

(Medium) Session Cookies on the application authenticate an end user and provide implicit access permissions on the application, and thus there is a need to secure them from being stolen or exported. HTTP Only flags would protect the session cookies from being stolen by Javascript injections or Cross Site scripting vulnerabilities. 

WorkaroundNo alternate method available.

How to configure

  1. Navigate to /
  2. Search for the property.
  3. Assign the recommended value as shown in the screenshot > Click Update.

Last modified on Feb 25, 2021