IT Hub

Enhancing API Security Practices in ServiceNow

Reco Security Experts
June 24, 2024
June 24, 2024

ServiceNow APIs enable the automation of processes and integration with other systems. However, these integrations can expose sensitive data and functionality to potential security threats. Improving API security is critical to protecting your ServiceNow instance and keeping your data safe. In this article, let us explore how to enhance API security practices in ServiceNow.

Adding Security to Inbound Requests

Create an API Request User

  • Create a User Specifically for Inbound Requests: Users with the Web service access only option set on their user record cannot log into the ServiceNow UI, allowing their credentials to authorize API connections only. This option is set by editing the user record through the User Administration > Users module
  • Assign Necessary Roles: Ensure the API request user has the necessary roles to access the required records.

Disallow Web Service Access to Tables

  • Disable Web Service Access to Tables: Administrators can disable web service access to tables by deselecting the Allow access to this table via web services option in the Application Access section of the table record. This setting is managed through the System Definition > Tables module.

IMPORTANT: The REST API Explorer ignores this setting. The REST API Explorer can interact with tables with the Allow access to this table via the web services option disabled.

REST API Security

By default, ServiceNow REST APIs use basic authentication or OAuth to authorize user access to REST APIs/endpoints. You can also configure your instance to use multi-factor authentication to access REST APIs. The user ID that you specify in a REST endpoint call is subject to access control in the same way as an interactive user. Each request requires the proper authentication information, such as user name and password. Ensure that each endpoint request includes an Authorization header with sufficient credentials to access the endpoint.

ServiceNow REST APIs also support cookies that enable binding to the existing session. To use the certificate to call the API and information on mutual authentication, see Certificate-based authentication. REST API access policies with filter criteria such as IP, role, group, and restrict the scope of API; you can use the REST API Auth Scope. To learn more about the REST API access policy, see REST API access policies. You can craft one single policy to block the incoming request at a global REST API level by using the REST API Access policy from an outside trusted network and at a basic REST authentication level.


In addition to user authentication, each REST endpoint can have different requirements for the roles required to access the endpoint. Some require the admin role, and others require API-specific roles. Role requirements are specified in the access control list (ACL) associated with the REST API/endpoint. For specifics on the valid roles for each REST API/endpoint, refer to the REST API reference or locate the associated ACL for the API/endpoint within an instance through System Security > Access Control (ACL).


REST API ACLs define criteria, such as the roles needed and conditions that a user must meet to access a ServiceNow REST API or endpoint. A single ACL may be defined for an entire REST API, such as the Table API and Attachment API ACLs, or for an individual endpoint, such as the clotho_rest_put ACL that only applies to MetricBase PUT methods.

The following ServiceNow REST API ACLs are available in the base system but are deactivated by default. All other ServiceNow REST API ACLs are active by default.

  • Table API
  • Aggregate API
  • Import Set API
  • Attachment API

IMPORTANT: You should never modify the names of REST API ACLs.

Third-Party Integration Security

Review Vendor Security

  • Vendor Security Practices: Before integrating third-party apps, review their security practices to ensure they adhere to best practices.

Secure API Endpoints

  • Validate Data from External Sources: Secure your API endpoints and validate all data from external sources to prevent security breaches.



  • Employ Strong Authentication Mechanisms: Utilize OAuth 2.0 or API keys to verify clients accessing your Web API.
  • Implement Multi-Factor Authentication (MFA): Add an extra layer of security by requiring MFA.
  • Avoid Basic Authentication: Basic authentication, especially over unencrypted channels, exposes credentials in clear text and should be avoided.


  • Enforce Strict Authorization Policies: Control resource access so that only authenticated and authorized users or applications can access specific endpoints.
  • Utilize Role-Based Access Control (RBAC): Manage permissions effectively and restrict access to sensitive data or operations based on user roles.

HTTPS Encryption

  • Ensure HTTPS Access: Encrypt data transmitted between clients and the server by ensuring your Web API is accessed over HTTPS.
  • Use Robust SSL/TLS Configurations: Regularly update SSL/TLS configurations to mitigate security vulnerabilities.

Input Validation and Sanitization

  • Implement Thorough Input Validation: Prevent security issues like SQL injection, cross-site scripting (XSS), and command injection by validating and sanitizing all user-supplied input.
  • Sanitize Input Before Processing: Reduce the risk of injection attacks by sanitizing inputs before processing.

Rate Limiting

  • Implement Rate-Limiting Mechanisms: Prevent abuse or unauthorized access to your Web API by setting appropriate limits on requests per client or IP address to avoid denial-of-service (DoS) attacks.

Audit Logging

  • Enable Comprehensive Audit Logging: Monitor API usage, including authentication attempts, authorization failures, and access to sensitive resources.
  • Regularly Review Audit Logs: Identify suspicious activities and potential security incidents through regular log reviews.

Security Headers

  • Utilize Security Headers: Safeguard against common web vulnerabilities using headers such as Content Security Policy (CSP) and X-Frame-Options.

Implementing these best practices will significantly enhance the security of your ServiceNow Web API.


To improve ServiceNow API security, you should create robust authentication and permission procedures, encrypt data, check inputs, set rate restrictions, log actions, and use safe third-party integration. Following these recommended practices will significantly improve the security of your ServiceNow instance.

Explore More
See more articles from our Hub