Mitigating common security vulnerabilities
In addition to the policies on the Security Policies landing page, Pega Platform offers additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and others. Use these features to ensure that your system is as secure as possible.
- Understanding Cross-Site Request Forgery (CSRF)
- Using HTTP response headers
To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.
- Defining cross-origin resource sharing (CORS) policies
Cross-origin resource sharing (CORS) policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. For example, a client using a Pega Marketing application running in a browser, may see advertisements from third-parties, and if they click one of these advertisements, the CORS policy will record that the advertisement was viewed or clicked on.
- Securing your application with a content security policy
You can use content security policies to indicate from where your application can load resources, which makes your application more secure. To view or update the content security policies in your application, or to view the content security policies that are available in Pega Platform, do one of the following actions.
- Configuring the deserialization filter
In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.
- Searching for security vulnerabilities in rules
- Configuring the Java injection check
At design time and at run time, Pega Platform checks activities, functions, and stream and validation rules, for particular Java injection vulnerabilities. Extend the default behavior to check for additional vulnerabilities.