Table of Contents

Dynamic system settings for application security

As a leading practice, before moving your application from development to a production environment, configure the following dynamic system settings to enable greater security in your application.

On-premises clients should define database settings using Pega Platform dynamic system settings to ensure that they take effect on all nodes. You can also configure the settings that use a "prconfig" prefix on a per-node basis in the prconfig.xml file; however this is not a recommended leading practice.

For more information, see Creating a custom application header.

Setting purpose Default setting Secure setting Security implications
prconfig/alerts/database/
operationTimeThreshold/
suppressInserts/
default
true true Recommended for all deployments. Prevents SQL statements from being written to the alert log in clear text. By default, all entries in the alert log show all data associated with the alert, including customer ID numbers, passwords, and other sensitive data. Setting this entry to true prevents sensitive data from being written to the alert log.
Prevents SQL injection attacks and prevents exposing sensitive information about how data is written to the database.
prconfig/alerts/parameterpage/
allowedKeywords/default
Blank Blank Eliminates PII data from the alert log, making it potentially more difficult to resolve the issue reported by the alert. The following keywords are supported: pyActivity, pyStream, action, harnessName, StreamClass, StreamName, ViewClass, ViewPurpose, ViewOwner, objClass, insName, Format, openHandle, ActivityClassToExecute, ActivityNameToExecute, TaskStatus, FlowClass, FlowType, flowType, CustomActivityName, CustomActivityClassName, actionName, productName, productVersion, portal, pyAction, pyClassName, primaryPageClass, ViewInsKey, InsKey, pyReportName, pyReportClass.
prconfig/alerts/parameterpage/
remoteFilterType/default
Obfuscate Allowed Eliminates all clear-text information in the alert log, making it potentially more difficult to resolve the issue reported by the alert.
prconfig/authentication/
UsePreauthenticationCookie/default
true true By default, Pega Platform generates a cookie for each user to track the user's requestor ID throughout the user session. The setting adds security to the cookie and helps guard against replay attacks.
If this entry is set to false, the cookie contains the same value whether the user is authenticated or not.
If this entry is set to true, Pega Platform uses a different cookie value when the requestor is not authenticated.
prconfig/crypto/
onewayhashalgorithm/default

bcrypt

bcrypt

Hashing algorithm for operator password storage. As a leading practice, set this setting before creating the operator that is used during testing.  The bcrypt default is salted.
prconfig/Database/
dumpStats/default
false false Recommended for all development and testing deployments. This is a high-volume-output tool only for use in development and testing environments. Do not use it in production.
Prevents exposing sensitive information that could otherwise aid a hacker in predicting system behavior.
prconfig/HTTP/
SetSecureCookie/default
false true Use this setting if running Pega Platform over HTTPS. The browser sends cookies only across SSL.
This setting prevents exposure of the session ID cookie and prevents session hijacking.
prconfig/HTTP/
UseNoCacheHeaders/default
true true Recommended for all deployments. Prevents dynamic content and sensitive information from being cached on the client, regardless of expiration time. Also disables tracer functionality and forces fresh loading of the dynamic content from the server for each request.
Prevents session hijacking, injection attacks, and cross-site scripting.
prconfig/initialization/
DisableAutoComplete/default
false true Recommended for all deployments. This setting prevents client-side storage of user name and password combinations. Use this setting in conjunction with clearing any existing stored sensitive information in the browser.
prconfig/initialization/
DisplayExceptionTraceback/default
false false Recommended for all deployments. This setting prevents display of stack-trace when an error occurs, and removes the Show Exception Details button, which could expose sensitive information in a production environment.
prconfig/initialization/
ProfileApplication/default
false false Recommended for all deployments. This setting turns off the Application Profiler, which writes sensitive information to log files.
prconfig/initialization/
PromoteEmbeddedPortals/default
false true Recommended for all deployments. This setting prevents a Pega Platform HTML frame from being embedded in an invisible additional frame that could contain malicious code.
prconfig/initialization/
ErrorOnInvalidThreadName/default
true true Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.
prconfig/Timeout/
Browser/default
900 900 (or fewer)

Specifies the time-out value (in seconds) for the user session. If the user does not perform any system action specified by the time-out value, the user session is terminated.

prconfig/Cookie/HTTPOnly/
default
true true Prevents client-side JavaScript access to the PegaRULES cookie (for example, session identifier).
prconfig/security/showSQLInListPage/
default
true false Suppresses visibility of generated SQL on the clipboard page.
prconfig/security/
UnexpectedInputPropertyAlert/
default
true true Ignores unexpected properties in a request.
prconfig/security/CSP/PolicyEnabled/
default
true true Enables Content Security Policy (CSP) support.
EnableAttributeBasedSecurity true true Enables enforcement of access control policies and access control policy conditions (ABAC).
DiscoverableItemsIncludedForSummaryReport false false Enables the discoverability feature associated with read-type access control policies.
security/enableJavaInjectionMitigation false true Enables java mitigation detection for all ruleset versions.
prconfig/alerts/parameterpage/
obfuscateKeywords/default
Blank See the Security implications column. Deprecated. (Lists alert keywords that are omitted from the alert content. The default setting automatically includes the operator‘s identifier and password. Add keywords as needed to ensure that all personally identifiable information (PII) is eliminated from the alert log.)
prconfig/initialization/
SubmitObfuscatedURL/default
optional required (Recommended for all deployments. This setting also requires the urlencryption entry to be enabled. These two entries work as a pair. Causes Pega Platform to reject clear-text URLs.)
prconfig/initialization/
Urldebug/default
none none (Recommended for all deployments. This setting prevents obfuscated URLs from being written to the log file. This prevents exposing potentially sensitive information.)
prconfig/initialization/
Urlencryption/default
false true (Recommended for all deployments. This setting works as a pair with SubmitObfuscatedURL. The setting enables or disables the encryption of the URLs.)

Cross-site request forgery settings

To obtain the values to include in the cross-site request forgery (CSRF) mitigation lists, enable CSRF mitigation, and then perform a detailed test of the application. You can capture the requests that fail because of the CSRF protection. From the requests, identify the activities, streams, and referrer headers, and add them to these settings. For more information, see Configuring CSRF protection.

For Pega Platform™ 8.1 and later, for the CSRF settings, use the Cross-Site Request Forgery landing page instead of modifying the settings directly.  For more information, see Enabling Cross-Site Request Forgery settings.

Setting purpose Default setting Secure setting Security implications
Security/CSRF/mitigation false true Enables the CSRF mitigation feature.
Security/CSRF/securedActivities blank Specify a comma-delimited list of activities to secure. A request for an activity in this list must include a valid CSRF token.
Security/CSRF/securedStreams blank Specify a comma-delimited list of streams to secure. A request for a stream in this list must include a valid CSRF token.
Security/CSRF/validReferers blank Specify a comma-delimited list of valid referrers for incoming requests. If CSRF token and activity/stream validations fail, the referrer header is validated against this list. The request fails if the referrer header is not on the list.
Security/CSRF/secureall false true Indicates that all activities and streams must include a valid CSRF token, with no exceptions.
XML/AllowDocTypes false false Prevents parsing of DOCTYPE declarations in XML. Protects against XML External Entity attacks (XXE).

When rules

The following table lists security-related when rules. For more information, see Verifying requests at the application layer.

When rule name Default setting Secure setting Security implications
pyBlockUnregisteredRequests false true Blocks (rejects) non-permitted requests as defined by the UI content presented to the user.
pySecureFeatures (should not be modified) (should not be modified) Enables URL tampering mitigation when the default portal is a non-studio portal.

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.