You might want to restrict inbound REST calls due to security internal concerns or agreements with third parties.
Taking into account this use case, we recommend three options:
1. IP restriction: ServiceNow has a way to force API calls are only received from designated IP addresses, you can do this on HI > My IP Information. If you want to only allow servers within your local network to be able to make API calls to our ServiceNow instances.
OOB we offer the possibility to do this through the IP restriction: see "KB0550613 - Identifying and Enabling IP address restrictions".
In case the HI IP whitelist/blacklist solution does not meet your business requirements, there are a few options to explore in order to reach this behavior.
2 CORS support: Other than the above, you could try to use REST API CORS support, CORS support allows you to define which domains can access each REST API. By defining a CORS rule, you can whitelist a domain to allow cross-origin requests from that domain. Cross-origin requests cannot be made from domains without a CORS rule, see CORS domain requirements (Madrid).
|Note: CORS support applies only to REST APIs, including scripted REST web services. Other web service APIs, such as the SOAP API, do not support CORS.|
3. Inbound REST API rules: Additionally there is another feature that can be used, Inbound REST API Limitation: To prevent excessive inbound REST API requests, set rules that limit the number of inbound REST API requests processed per hour. You can create rules to limit requests for specific users, users with specific roles, or all users. Find further details in our documentation: Inbound REST API rate limiting (Madrid).
|Note: Although we recommend these options, bear in mind that other features can be used to get the same behavior.|