Scripted REST API Best Practices
This article is based on the ServiceNow documentation article. See the original article on the ServiceNow doc site: Scripted REST API Best Practices Overview.
Quality Clouds automatically checks that all the best practices defined below are followed in any Scripted REST API Resource which you create or modify on your ServiceNow instance.
Avoid GlideRecord API usage in Scripted REST API Resource
Use the GlideRecordSecure API in your scripted REST API scripts. This API ensures that access controls defined on the underlying data are applied for the requesting user.
The GlideRecordSecure is an extension of the GlideRecord API, which enforces additional security, and is more appropriate for use in Scripted REST API Resources. Full details for the GlideRecordSecure are available in the official ServiceNow documentation.
REST API Resource modifying data without Authentication check
Any REST API Resource which uses a data-modification http verb (POST/PUT/DELETE/PATCH) and does not require authentication checks will raise an issue of High Severity, as it exposes your instance to data modification from anonymous sources.
REST API Resource modifying data without Authorisation check
Any REST API Resource which uses a data-modification http verb (POST/PUT/DELETE/PATCH) and does not require ACL (authorization) checks will raise an issue of High Severity, as it exposes your instance to data modification without fine-grained access controls.
If you want any of the above checks to apply to REST API Resources using the GET verb, please contact help@qualityclouds.com to request customization of your ruleset.
