Skip to main content

Table of Contents

Security Checklist when not deploying on Pega Cloud


Only available versions of this content are shown in the dropdown

When you are deploying on-premises, and not on Pega Cloud, there are additional considerations you should address when completing the Security Checklist. The tasks in this section are not required if you are deploying your application to Pega Cloud, because Pega Cloud automatically performs these tasks.

During production testing, configure your application and the test environment to mirror the intended production environment. Otherwise, your testing might not uncover serious security vulnerabilities.

Secure file uploads
If documents can be uploaded into your application, install a virus checker to control which files can be uploaded, and restrict the file types that are uploaded.
Pega Cloud Services environments automatically check uploaded files for viruses. If you do not have a Pega Cloud Services environment and documents can be uploaded into your application, we recommend you secure them as follows:
  • Use a virus checker to check the files that can be uploaded. You can use an extension point in the CallVirusCheck activity to check attachments.
  • Regularly update your virus checker to enable detection of new viruses.
  • Restrict the file type by adding a when rule or a decision table to the SetAttachmentProperties activity to evaluate whether a document type is allowed. If a file type is not allowed (evaluated as false), you can set up a message on the step page that stops the save attachment activity from being performed.
  • Verify that the XML/AllowDocTypes dynamic system setting is set to false.

For more information, see:

Apply patches, updates, and hotfixes
Install the latest patches and updates to the operating system, application and web servers, proxies, database, and related applications.
For Pega Platform 8.x releases, you should install the latest patch release. For earlier Pega Platform releases you should be running the latest version, and planning to upgrade to Version 8.x in the near future.
Regardless of what release you are running, you should frequently check for any recommended security updates, which are posted at
Secure web.xml
If you are not deploying your application to Pega Cloud, make the following changes to the web.xml deployment descriptor file:
  • Limit or block access to the Pega Platform servlets that support only testing and debugging, including HeapDisplay, SecManServlet, and PRSOAPSimulator.
  • Remove unnecessary resources and servlets.
  • Set appropriate time-outs at the application server level and requestor level.
  • Block access to the prweb/PRServlet servlet, which allows users to log in using the older platform login process instead of the newer PRAuth-based authentication services.

For more information, see Application URL patterns for various authentication service types.

If you are deploying on Pega Cloud, see Security Checklist when deploying on Pega Cloud.

Configure PRconfig.xml settings for production
Verify that prconfig.xml settings are appropriate for a production environment.
Configure the database and communications to mirror production
Configure the system and database according to your company’s security policies and to be the same as in production environment to which the application will be deployed. This configuration should include the use of TLS for all communication between clients and the application.
If you use TLS, remove any cipher suites that have null ciphers. This action prevents the login credentials and password from being sent in clear text format between the client and server even over a TLS connection (if a server and client discover only a null cipher suite in common).
Configure the application server to mirror production
Configure the application server in your test environment to mirror the configuration in your production environment.

For more information, see Implementing security guidelines for test environments.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us