This content has been archived.

Security settings in the prconfig.xml file

The prconfig.xml file and Dynamic System Settings include parameters that control access to the Pega Platform™ database. As a best practice, use the Dynamic System Settings rather than editing the prconfig.xml file. Edit the prconfig.xml file to overwrite Dynamic System Settings that apply to a specific node. For more information, see Modifying the prconfig.xml file and Dynamic System Settings

Because settings in the prconfig.xml file might have been changed during development or might be inappropriate for a production environment, review the contents of this file before moving an application to production.

Not all these entries are relevant to your environment or security policies. Add only the entries that are suitable for your application and environment.

Many of the settings can be applied to your deployment environment as Dynamic System Settings by adding the prefix prconfig/ and appending the suffix /default to each setting. For example, a prconfig.xml setting cookie/HttpOnly as a Dynamic System Setting setting is prconfig/cookie/HttpOnly/default. For more information, see Default Dynamic System Settings data instances.

If you are using custom authentication, review the Security implications column to determine how to match the behavior of the settings to your configuration.

Category Entry name Default setting Secure setting Security implications
Alerts/database operationTimeThreshold/suppressInserts true true Recommended for all deployments. Prevents SQL statements from being written to the alert log in clear text. By default, all entries in the alert log show all data associated with the alert, including customer ID numbers, passwords, and other sensitive data. Setting this entry to true prevents sensitive data from being written to the alert log.
Prevents SQL injection attacks and prevents exposing sensitive information about how data is written to the database.
Alerts/general Includeparameterpage false false Determines whether the parameter page of the topmost stackframe is included in the alert log when the alert is generated. Depending on what is processed when the alert is generated, the data from a work item or other sensitive records could be included in the log. The default behavior prevents Pega Platform from writing sensitive data to the alert log, which is a clear-text file.  Setting this value to true will cause parameter page data to be written to the log.
Alerts/parameterpage obfuscateKeywords Blank See the Security implications column. Lists alert keywords that are omitted from the alert content. The default setting automatically includes the operator‘s identifier and password. Add keywords as needed to ensure that all personally identifiable information (PII) is eliminated from the alert log.
Alerts/parameterpage allowedKeywords Blank Blank Eliminates PII data from the alert log, making it potentially more difficult to resolve the issue reported by the alert. The following keywords are supported: pyActivity, pyStream, action, harnessName, StreamClass, StreamName, ViewClass, ViewPurpose, ViewOwner, objClass, insName, Format, openHandle, ActivityClassToExecute, ActivityNameToExecute, TaskStatus, FlowClass, FlowType, flowType, CustomActivityName, CustomActivityClassName, actionName, productName, productVersion, portal, pyAction, pyClassName, primaryPageClass, ViewInsKey, InsKey, pyReportName, pyReportClass.
Alerts/parameterpage remoteFilterType Allowed Allowed Eliminates all clear-text information in the alert log, making it potentially more difficult to resolve the issue reported by the alert.
authentication UsePreauthenticationCookie true true By default, Pega Platform generates a cookie for each user to track the user's requestor ID throughout the user session. The setting adds security to the cookie and helps guard against replay attacks.
If this entry is set to false, the cookie contains the same value whether the user is authenticated or not.
If this entry is set to true, Pega Platform uses a different cookie value when the requestor is not authenticated.
crypto onewayhashalgorithm

bcrypt

bcrypt

Hashing algorithm for operator password storage. As a best practice, set this setting before creating the operator that is used during testing.  The bcrypt default is salted.
crypto v5portable true true Recommended for all deployments. The setting adds complexity to reversible encryption when using the Pega Platform portable cipher by adding a 128-bit AES-based cipher to the v5oneway encryption process above to strengthen the encryption.
Database dumpStats false false Recommended for all development and testing deployments. This is a high-volume-output tool only for use in development and testing environments. Do not use it in production.
Prevents exposing sensitive information that could otherwise aid a hacker in predicting system behavior.
HTTP SetSecureCookie false true Use this setting if running Pega Platform over HTTPS. The browser sends cookies only across SSL.
This setting prevents exposure of the session ID cookie and prevents session hijacking.
HTTP UseNoCacheHeaders false true Recommended for all deployments. Prevents dynamic content and sensitive information from being cached on the client, regardless of expiration time. Also disables tracer functionality and forces fresh loading of the dynamic content from the server for each request.
Prevents session hijacking, injection attacks, and cross-site scripting.
Initialization DisableAutoComplete false true Recommended for all deployments. This setting prevents client-side storage of user name and password combinations. Use this setting in conjunction with clearing any existing stored sensitive information in the browser.
Initialization DisplayExceptionTraceback true false Recommended for all deployments. This setting prevents display of stack-trace when an error occurs, and removes the Show Exception Details button, which could expose sensitive information in a production environment.
Initialization ProfileApplication false false Recommended for all deployments. This setting turns off the Application Profiler, which writes sensitive information to log files.
Initialization PromoteEmbeddedPortals false true Recommended for all deployments. This setting prevents a Pega Platform HTML frame from being embedded in an invisible additional frame that could contain malicious code.
Initialization SubmitObfuscatedURL optional required Recommended for all deployments. This setting also requires the urlencryption entry to be enabled. These two entries work as a pair. Causes Pega Platform to reject clear-text URLs.
Initialization Urldebug none none Recommended for all deployments. This setting prevents obfuscated URLs from being written to the log file. This prevents exposing potentially sensitive information.
Initialization Urlencryption false true Recommended for all deployments. This setting works as a pair with SubmitObfuscatedURL. The setting enables or disables the encryption of the URLs.
Initialization ErrorOnInvalidThreadName false true Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.
Timeout Browser 3600 900 (or fewer) Specifies the time-out value (in seconds) after which inactive users are passivated.
Cookie HTTPOnly false true Prevents client-side JavaScript access to the PegaRULES cookie (for example, session identifier).
Security showSQLInListPage true false Suppresses visibility of generated SQL on the clipboard page.
Security UnexpectedInputPropertyAlert true true Ignores unexpected properties in a request.
Security/CSP PolicyEnabled true true Enables Content Security Policy (CSP) support.

 


Related Content

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.