GROW
CODA App

config

Cookies – HTTP Only should be enabled

This issue is found automatically by CODA.
Time to fix: 30min

How ServiceNow deals with cookies?

Similar to other web applications, ServiceNow stores small pieces of data known as cookies. Cookies serve various purposes on the website, primarily to track user activity and save login information. This data is typically represented as strings of numbers and letters stored in a text file. ServiceNow employs two main types of cookies:

  • Session-based Cookies: These cookies are active only for the duration of your session on the instance and disappear when you close the browser.

  • Persistent-based Cookies: Persistent-based cookies are files that remain in one of your browser's subfolders until manually deleted or until your browser removes them based on the duration specified within the persistent cookie's file.

Why is this an issue?

Even within ServiceNow, cookies can be manipulated by attackers to illicitly access a user’s account or steal confidential information. A prime example is Cross-site scripting attacks, often abbreviated as XSS attacks. These are a form of injection assault that introduces harmful code into websites that are otherwise considered secure. An attacker exploits a vulnerability in a targeted web application to transmit malicious code, typically client-side JavaScript, to an end user.

In a client instance, for instance, such attacks can lead to unauthorized access, providing the attacker with an opportunity to access sensitive data.

To mitigate issues, ServiceNow has a system property named glide.cookies.http_only. While it does not entirely eradicate all cross-site scripting threats, it does provide an extra layer of security. It accomplishes this by preventing access to the cookie via a client-side script, such as JavaScript.

How do I fix it?

Before setting the glide.cookies.http_only property to true, note that if you have any custom functionality that relies on JavaScript accessing the user's cookie, it can cause it to break that functionality.

  1. In the Filter Navigator, type and enter sys_properties.list.

  2. Search for glide.cookies.http_only.

  3. Set Value tab to true.