<h2>Setting entity expansion threshold</h2><br/><div style="overflow-x:auto"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta content="text/html; charset=UTF-8" /><meta name="copyright" content="(C) Copyright 2025" /><meta name="DC.rights.owner" content="(C) Copyright 2025" /><meta name="generator" content="DITA-OT" /><meta name="DC.type" content="reference" /><meta name="DC.title" content="Setting entity expansion threshold (instance security hardening)" /><meta name="abstract" content="Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number." /><meta name="description" content="Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number." /><meta name="DC.relation" scheme="URI" content="../../../administer/security/reference/for-xmldocument-and-xmlutil-parsing.html" /><meta name="DC.relation" scheme="URI" content="../../../administer/general/concept/platsec-landing.html" /><meta name="DC.relation" scheme="URI" content="../../../administer/security/concept/instance-security-center.html" /><meta name="DC.relation" scheme="URI" content="../../../administer/security/reference/instance-security-hardening-settings.html" /><meta name="DC.relation" scheme="URI" content="../../../administer/security/reference/security-inclusion-list-instance-security-hardening.html" /><meta name="DC.relation" scheme="URI" content="../../../administer/security/reference/xml-external-entity-processing-validation.html" /><meta name="DC.creator" content="ServiceNow" /><meta name="DC.date.created" content="2023-08-03" /><meta name="DC.date.modified" content="2023-08-03" /><meta name="mini-toc" content="yes" /><meta name="DC.format" content="XHTML" /><meta name="DC.identifier" content="setting-entity-expansion-threshold" /><link rel="stylesheet" type="text/css" href="../../../CSS/commonltr.css" /><title>Setting entity expansion threshold (instance security hardening)</title></head><body id="setting-entity-expansion-threshold"> <div class="breadcrumb"><a class="link" href="../../../administer/general/concept/platsec-landing.html" title="Platform security provides capabilities to secure the instance.">Platform Security</a> > <a class="link" href="../../../administer/security/concept/instance-security-center.html" title="Monitor the compliance level of instance security controls, view security event monitoring metrics, and configure and maintain instance security settings all from within the Instance Security Center. The Instance Security Center consolidates several key security components into a single control console that helps you detect, protect, and respond to instance-based security events.">Instance Security Center</a> > <a class="link" href="../../../administer/security/reference/instance-security-hardening-settings.html" title="The Instance Security Hardening Settings content contains detailed descriptions and compliance values for the security-related system properties and plugins in the Now Platform. You can set most of these properties in the Hardening Compliance Configuration page in the Instance Security Center.">Instance Security Hardening Settings</a> > <a class="link" href="../../../administer/security/reference/security-inclusion-list-instance-security-hardening.html" title="A 'positive' security model (also known as an 'inclusion list') is one that defines what is allowed, and rejects everything else. This section contains security controls that an administrator can configure to restrict behavior to known inclusion lists.">Security inclusion list (instance security hardening)</a> > <a class="link" href="../../../administer/security/reference/xml-external-entity-processing-validation.html" title="These properties enable entity expansion, and restrict any external entity (for example, URL) when included as a part of XML DOCTYPE reference. DTD is basically an XML schema. If you are looking for a solution for entity declarations that could have potential for XXE (external entity), enable an inclusion listed defense against XXE using system properties.">XML external entity processing validation</a> > </div> <h1 class="title topictitle1" id="ariaid-title1">Setting entity expansion threshold (instance security hardening)</h1> <div class="body refbody"><p class="shortdesc">Use the <span class="keyword parmname">glide.xmlutil.max_entity_expansion</span> property to change the maximum entity expansion limit to a smaller number.</p> <div class="section" id="setting-entity-expansion-threshold__section_overview_other">The <span class="ph">Now Platform</span> doesn't process further entity expansions that are greater than the allowed limit specified in this property. <div class="note"><span class="notetitle">Note:</span> 3000 is the default minimum imposed by the <span class="ph">Now Platform</span>, which is considered to be a safe threshold. Hence, platform considers this default minimum if the integer value you enter is below 3000.</div> </div> <div class="section" id="setting-entity-expansion-threshold__section_more_information"><h2 class="title sectiontitle">More information</h2> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="setting-entity-expansion-threshold__table_ajc_b43_3kb" class="table" frame="border" border="1" rules="all"><colgroup><col style="width:40%" /><col style="width:60%" /></colgroup><thead class="thead" style="text-align:left;"><tr class="row"><th class="entry cellrowborder" style="vertical-align:top;" id="d191209e75">Attribute</th><th class="entry cellrowborder" style="vertical-align:top;" id="d191209e78">Description</th></tr></thead><tbody class="tbody"><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Property name</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">glide.xmlutil.max_entity_expansion</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Configuration type</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">System Properties (/sys_properties_list.do)</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Configure in Instance Security Center</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">Yes</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Purpose</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">This remediation control must be enabled to defend against XML Entity Expansion/Billion Laugh attack.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Recommended value</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">3000</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Functional Impact</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">If the customization is using large entity expansion, then, the <span class="ph">Now Platform</span> might block further processing.</td></tr><tr class="row"><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e75 ">Security risk</td><td class="entry cellrowborder" style="vertical-align:top;" headers="d191209e78 ">(High) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources.</td></tr></tbody></table> </div> <p class="p">To learn more about adding or creating a system property, see <a class="xref" href="../administer/reference-pages/task/t_AddAPropertyUsingSysPropsList.html" target="_blank" rel="noopener noreferrer">Add a system property</a>.</p> </div> </div> <div class="related-links"> <div class="familylinks"> <div class="parentlink"><strong>Parent Topic:</strong> <a class="link" href="../../../administer/security/reference/for-xmldocument-and-xmlutil-parsing.html" title="If your customizations use XMLDocument or XMLUtil, set the following system properties. They control entity expansion and enable the validation of external entities, which allow processing of only ones on inclusion lists.">For XMLDocument and XMLUtil parsing</a></div> </div> </div></body></html></div>