Security guidelines for test environments

As a best practice, configure the application server in your test environment to mirror a production environment configuration.

Use the following guidelines to minimize security vulnerabilities that can happen on the server side in your application:

  • Prevent the application server from serving files to unauthorized users.
  • Disable application server directory traversals. For example, eliminate the ability to insert “../” or “..\” into directory paths.
  • Disable directory listings on the application server.
  • Verify that no extraneous ports are open on the application server or on the firewall that protects the application server.
  • Disable HTTP methods that your application does not use, including HEAD, TRACE, and TRACK. By default, Pega Platform uses POST and GET.
  • Remove the web server banner from the Server field in the HTTP response header so that you do not share the type and version of your application server with users.
  • Remove sample applications, their supporting files, and permissions when they are no longer used. This action prevents users who know the sample application credentials from logging in to your system.