Mitigating common security vulnerabilities
In addition to the policies on the Security Policies landing page, Pega Platform offers additional security restrictions that control cross-site request forgery (CSRF), content security policies (CSP), cross-origin resource sharing (CORS), and others. Use these features to ensure that your system is as secure as possible.
- Understanding Cross-Site Request Forgery (CSRF)
- Using HTTP response headers
To improve the security of your application against client-based attacks, you can use the HTTP response headers that are supported by your browser.
- Defining cross-origin resource sharing (CORS) policies
Cross-origin resource sharing (CORS) policies define a method that enables a browser and server to interact and determine whether it is safe to allow a cross-origin request. For example, a client using a Pega Marketing application running in a browser, may see advertisements from third-parties, and if they click one of these advertisements, the CORS policy will record that the advertisement was viewed or clicked on.
- Securing your application with a content security policy
You can use content security policies to indicate from where your application can load resources, which makes your application more secure. To view or update the content security policies in your application, or to view the content security policies that are available in Pega Platform, do one of the following actions.
- Configuring the deserialization filter
In Pega Platform, a global filter checks a list of blocked classes that are not allowed to be deserialized. You can add classes to the global deserialization filter to increase the security of your application by preventing unauthorized access.
- Searching for security vulnerabilities in rules
- Configuring the Java injection check
At design time and at run time, Pega Platform checks activities, functions, and stream and validation rules, for particular Java injection vulnerabilities. Extend the default behavior to check for additional vulnerabilities.
- Defining security policies
To define security policies for user authentication and session management, use the Security Policies tab.
- Preparing your application for secure deployment
Use the Application Security Checklist to prepare your application for deployment. By completing the tasks on this checklist, you can safeguard sensitive data and improve the security of your application.
A keystore is a file that contains keys and certificates that you use for encryption, authentication, and serving content over HTTPS. In Pega Platform, you create a keystore data instance that points to a keystore file.
- Storing case attachments using external storage
You can configure your application to store case and Pulse attachments outside the Pega Platform database. By using external resources, you can upload large files without causing out-of-memory errors.
- Configuring external storage options for attachments
Use external storage to attach content to a case or Pulse conversation.
- Securing the Pega API
To ensure the safety of Pega API credentials that are transferred through HTTP basic authentication, use TLS 1.2, a strong transport layer security, when installing your Pega application. You can also secure the Pega API by using OAuth 2.0.