Table of Contents

Article

Security settings in the prconfig.xml file

The prconfig.xml file and Dynamic System Settings include parameters that control access to the Pega Platform™ database. As a best practice, use the Dynamic System Settings rather than editing the prconfig.xml file. Edit the prconfig.xml file to overwrite Dynamic System Settings that apply to a specific node. For more information, see Modifying the prconfig.xml file and Dynamic System Settings

Because settings in the prconfig.xml file might have been changed during development or might be inappropriate for a production environment, review the contents of this file before moving an application to production.

Not all these entries are relevant to your environment or security policies. Add only the entries that are suitable for your application and environment.

Many of the settings can be applied to your deployment environment as Dynamic System Settings by adding the prefix prconfig/ and appending the suffix /default to each setting. For example, a prconfig.xml setting cookie/HttpOnly as a Dynamic System Setting setting is prconfig/cookie/HttpOnly/default. For more information, see Default Dynamic System Settings data instances.

If you are using custom authentication, review the Security implications column to determine how to match the behavior of the settings to your configuration.

CategoryEntry nameDefault settingSecure settingSecurity implications
Alerts/databaseoperationTimeThreshold/suppressInsertstruetrueRecommended for all deployments. Prevents SQL statements from being written to the alert log in clear text. By default, all entries in the alert log show all data associated with the alert, including customer ID numbers, passwords, and other sensitive data. Setting this entry to true prevents sensitive data from being written to the alert log.
Prevents SQL injection attacks and prevents exposing sensitive information about how data is written to the database.
Alerts/generalIncludeparameterpagefalsefalseDetermines whether the parameter page of the topmost stackframe is included in the alert log when the alert is generated. Depending on what is processed when the alert is generated, the data from a work item or other sensitive records could be included in the log. The default behavior prevents Pega Platform from writing sensitive data to the alert log, which is a clear-text file.  Setting this value to true will cause parameter page data to be written to the log.
Alerts/parameterpageobfuscateKeywordsBlankSee the Security implications column.Lists alert keywords that are omitted from the alert content. The default setting automatically includes the operator‘s identifier and password. Add keywords as needed to ensure that all personally identifiable information (PII) is eliminated from the alert log.
Alerts/parameterpageallowedKeywordsBlankBlankEliminates PII data from the alert log, making it potentially more difficult to resolve the issue reported by the alert. The following keywords are supported: pyActivity, pyStream, action, harnessName, StreamClass, StreamName, ViewClass, ViewPurpose, ViewOwner, objClass, insName, Format, openHandle, ActivityClassToExecute, ActivityNameToExecute, TaskStatus, FlowClass, FlowType, flowType, CustomActivityName, CustomActivityClassName, actionName, productName, productVersion, portal, pyAction, pyClassName, primaryPageClass, ViewInsKey, InsKey, pyReportName, pyReportClass.
Alerts/parameterpageremoteFilterTypeAllowedAllowedEliminates all clear-text information in the alert log, making it potentially more difficult to resolve the issue reported by the alert.
authenticationUsePreauthenticationCookietruetrueBy default, Pega Platform generates a cookie for each user to track the user's requestor ID throughout the user session. The setting adds security to the cookie and helps guard against replay attacks.
If this entry is set to false, the cookie contains the same value whether the user is authenticated or not.
If this entry is set to true, Pega Platform uses a different cookie value when the requestor is not authenticated.
cryptoonewayhashalgorithm

bcrypt

bcrypt

Hashing algorithm for operator password storage. As a best practice, set this setting before creating the operator that is used during testing.  The bcrypt default is salted.
cryptov5portabletruetrueRecommended for all deployments. The setting adds complexity to reversible encryption when using the Pega Platform portable cipher by adding a 128-bit AES-based cipher to the v5oneway encryption process above to strengthen the encryption.
DatabasedumpStatsfalsefalseRecommended for all development and testing deployments. This is a high-volume-output tool only for use in development and testing environments. Do not use it in production.
Prevents exposing sensitive information that could otherwise aid a hacker in predicting system behavior.
HTTPSetSecureCookiefalsetrueUse this setting if running Pega Platform over HTTPS. The browser sends cookies only across SSL.
This setting prevents exposure of the session ID cookie and prevents session hijacking.
HTTPUseNoCacheHeadersfalsetrueRecommended for all deployments. Prevents dynamic content and sensitive information from being cached on the client, regardless of expiration time. Also disables tracer functionality and forces fresh loading of the dynamic content from the server for each request.
Prevents session hijacking, injection attacks, and cross-site scripting.
InitializationDisableAutoCompletefalsetrueRecommended for all deployments. This setting prevents client-side storage of user name and password combinations. Use this setting in conjunction with clearing any existing stored sensitive information in the browser.
InitializationDisplayExceptionTracebacktruefalseRecommended for all deployments. This setting prevents display of stack-trace when an error occurs, and removes the Show Exception Details button, which could expose sensitive information in a production environment.
InitializationProfileApplicationfalsefalseRecommended for all deployments. This setting turns off the Application Profiler, which writes sensitive information to log files.
InitializationPromoteEmbeddedPortalsfalsetrueRecommended for all deployments. This setting prevents a Pega Platform HTML frame from being embedded in an invisible additional frame that could contain malicious code.
InitializationSubmitObfuscatedURLoptionalrequiredRecommended for all deployments. This setting also requires the urlencryption entry to be enabled. These two entries work as a pair. Causes Pega Platform to reject clear-text URLs.
InitializationUrldebugnonenoneRecommended for all deployments. This setting prevents obfuscated URLs from being written to the log file. This prevents exposing potentially sensitive information.
InitializationUrlencryptionfalsetrueRecommended for all deployments. This setting works as a pair with SubmitObfuscatedURL. The setting enables or disables the encryption of the URLs.
InitializationErrorOnInvalidThreadNamefalsetrueRejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.
TimeoutBrowser3600900 (or fewer)Specifies the time-out value (in seconds) after which inactive users are passivated.
CookieHTTPOnlyfalsetruePrevents client-side JavaScript access to the PegaRULES cookie (for example, session identifier).
SecurityshowSQLInListPagetruefalseSuppresses visibility of generated SQL on the clipboard page.
SecurityUnexpectedInputPropertyAlerttruetrueIgnores unexpected properties in a request.
Security/CSPPolicyEnabledtruetrueEnables Content Security Policy (CSP) support.

 

Published June 14, 2017 — Updated May 17, 2019


87% found this useful

Related Content

Have a question? Get answers now.

Visit the Pega Support Community to ask questions, engage in discussions, and help others.