Web Application Firewall in the ServiceNow AI Platform<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This article explains why ServiceNow does not offer direct Web Application Firewall (WAF) capabilities within the ServiceNow AI Platform and provides an overview of the compensating security controls available to customers within the platform and a customer instance. The article also discusses the option for customers to integrate their own WAF technologies into their data architecture, emphasizing that the responsibility for deploying, configuring, and maintaining such solutions rests with the customer or their chosen third-party provider. Sections Technical complexities of WAF managementServiceNow security programList of WAF capabilities and corresponding ServiceNow AI Platform capabilities ServiceNow Security Center Integrating WAF technology in a ServiceNow instance Technical complexities of WAF management Managing a WAF within the ServiceNow AI Platform presents significant challenges due to the highly varied and customized security requirements of each organization. The platform must accommodate a wide range of customer environments, from simple workflows to complex integrations, and this diversity makes it difficult to apply a universal set of WAF rules that are both effective and unobtrusive. ServiceNow typically lacks full visibility into the specific data structures, custom business logic, and application behaviors unique to each customer instance. Without this granular context, it becomes impossible to fine tune a WAF configuration that reliably distinguishes between legitimate and suspicious activities across the board. This lack of precision can lead to frequent false positives, where authorized user actions are incorrectly flagged and blocked, potentially disrupting business operations and productivity. Furthermore, the management of a WAF requires ongoing adjustment and monitoring—analyzing evolving traffic patterns, updating rule sets in response to new threats, and troubleshooting incidents—which demand dedicated expertise and resources. Because these activities revolve around highly individual use cases and data flows, ServiceNow is not positioned to provide direct, platform-wide WAF management that meets the needs of all customers. ServiceNow Security Program By implementing controls across multiple layers—from development, through the infrastructure, to continuous monitoring—ServiceNow achieves comprehensive protection that compensates for the absence of a WAF, thereby minimizing the risks of sensitive data exposure. With this holistic approach, ServiceNow significantly reduces the attack surface and ensures that any vulnerability is promptly detected and remedied, delivering a level of security that is comparable or even superior to what a WAF might provide, with the added benefit of having controls that are tailored and customized to customers' specific needs. Secure Development ServiceNow code adheres to the OWASP Top 10 guidelines, enabling us to identify and mitigate common vulnerabilities before the code goes into production. Vulnerability Management and Agile Patching ServiceNow conducts periodic and continuous vulnerability assessments and applies patches swiftly and methodically to minimize any emerging risks. Penetration Testing and Audits ServiceNow performs both internal and external penetration tests, along with regular audits, to help detect any potential security flaws. Hardening and Monitoring ServiceNow further bolsters system security by hardening the platform's infrastructure and implementing continuous monitoring, which allows detection of anomalous behaviors or intrusion attempts in real time. By implementing controls across multiple layers—from development, through the infrastructure, to continuous monitoring—ServiceNow achieves comprehensive protection that compensates for the absence of a WAF, thereby minimizing the risks of sensitive data exposure. For more information about the ServiceNow security program please see Securing the ServiceNow AI Platform. List of WAF capabilities and corresponding ServiceNow AI Platform capabilities WAF Capability ServiceNow platform capability SQL Injection Protection: Detects and blocks SQL injection attempts Input validation, parameterized queries Sanitize SQL transform functions Validation, sanitization, and encoding Cross-Site Scripting (XSS): Blocks script injection in user inputs Input sanitization, CSP headers, frontend validation Validation, sanitization, and encoding HTML sanitizer Cross-Site Request Forgery (CSRF): Prevents unauthorized cross-origin actions CSRF tokens, secure cookies, SameSite settings CSRF strict validation GlideHTTPResponse - Global Secure session cookies Malicious Bot Detection & Blocking: Identifies and blocks scraping, brute-force bots Rate limiting, CAPTCHA, bot behavior analysis HTTP Response Headers Enable Captcha for External User Registration Protocol Anomaly Detection: Detects malformed HTTP requests Strict request parsing, well-configured reverse proxy/load balancer. The ServiceNow REST API requires accurate parameter encoding and data handling to ensure proper processing. HTTP Response Headers Validation, sanitization, and encoding XMLDocument2 Streaming Parser Session Hijacking Protection: Detects hijacked sessions or replay attempts. Secure session handling, token expiration, cookie flags Session management • Invalidate Session After OAuth Token Expiration • Anti-CSRF token validation time • Set Automatic Token Cleanup for Token Credential • Enable HTTP Only Cookie Flag Header Injection & Manipulation Detection: Prevents unauthorized headers or tampering. Secure default headers, header validation, strict CORS policies CORS domain requirements Define a CORS rule WS-Security SOAP envelope header REST APIs Security referral policy Content-Type and Method Enforcement: Enforces correct HTTP methods or content types. X-Content-Type-Options response HTTP header is used by the server to indicate that the MIME (Multipurpose Internet Mail Extensions) enters advertised in the Content-Type Auto set Content Type options Control request and response content type GlideHTTPRequest - Global Logging and Alerting: Real-time monitoring, alerting, and logging of attacks. SIEM integration, audit logging, platform observability features Log Export Service (LES) ServiceNow Cloud Observability Events API Security: Protects REST/GraphQL APIs from abuse or misuse. Includes schema enforcement, rate limiting, and JWT validation Enforce strict REST API security Access control list rules Configure a scripted REST API resource to require an ACL Inbound REST API rate limiting JWT Bearer ServiceNow Security Center ServiceNow provides customers with a comprehensive suite of security controls through ServiceNow Security Center, which acts as a centralized hub where customers can monitor, configure, and manage various security features tailored specifically for their ServiceNow environment. Find out more about ServiceNow Security Center Integrating WAF technology in a ServiceNow instance While these built-in security measures offer robust protections, customers still have the flexibility to integrate their own WAF technologies into their data architecture if desired. The responsibility for designing, deploying, and maintaining such solutions—including the specific configuration of WAF rules and incident response—remains with the customer or their designated third-party provider. ServiceNow, in its role as data processor, does not manage external WAF solutions or their interoperability with the platform; these are external to the core ServiceNow AI Platform subscription service and fully under customer control. This combination of built-in controls and customer-driven configuration enables organizations to maintain both compliance and resilience, empowering them to secure their ServiceNow environments with confidence and agility.