Close popover

Table of Contents

Mitigating common security vulnerabilities


In addition to the policies on the Security Policies landing page, Pega Platform offers additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and others. Use these features to ensure that your system is as secure as possible.

  • Understanding Cross-Site Request Forgery (CSRF)
  • Using HTTP response headers

    To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.

  • Defining cross-origin resource sharing (CORS) policies

    Cross-origin resource sharing (CORS) policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. For example, a client using a Pega Marketing application running in a browser, may see advertisements from third-parties, and if they click one of these advertisements, the CORS policy will record that the advertisement was viewed or clicked on.

  • Securing your application with a content security policy

    You can use content security policies to indicate from where your application can load resources, which makes your application more secure. To view or update the content security policies in your application, or to view the content security policies that are available in Pega Platform, do one of the following actions.

  • Configuring the deserialization filter

    In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.

  • Searching for security vulnerabilities in rules

    The Rule Security Analyzer can find specific JavaScript or SQL coding patterns that might indicate a security vulnerability. The most effective way to search for vulnerabilities is to run the Rule Security Analyzer several times, each time matching against a different regular expression rule. If the Rule Security Analyzer finds problems, you can fix them to make your system more secure.

  • Configuring the Java injection check

    At design time and at run time, Pega Platform checks activities, functions, and stream and validation rules, for particular Java injection vulnerabilities. Extend the default behavior to check for additional vulnerabilities.

  • Defining security policies

    To define security policies for user authentication and session management, use the Security Policies tab.

  • Preparing your application for secure deployment

    Use the Application Security Checklist to prepare your application for deployment. By completing the tasks on this checklist, you can safeguard sensitive data and improve the security of your application.

  • Keystores

    A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. In Pega Platform, you create a keystore data instance that points to a keystore file.

  • Storing case attachments using external storage

    You can configure your application to store case and Pulse attachments outside the Pega Platform database. By using external resources, you can upload large files without causing out-of-memory errors.

  • Configuring external storage options for attachments

    Use external storage to attach content to a case or Pulse conversation.

  • Securing the Pega API

    To ensure the safety of Pega API credentials that are transferred through HTTP basic authentication, use TLS 1.2, a strong transport layer security, when installing your Pega application. You can also secure the Pega API by using OAuth 2.0.

Suggest Edit

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.