At this very moment not all the pega ootb activity's are secure by default. Because not all activity's require authentication to run and we think this should be enabled at all time. At least by default. This because of the hardening of the pega platform. On the other hand we see examples of activity's that Allow invocation from browser and where no authentication to run is required, that is always a No Go. We would like to see for all ootb pega activity's that allow invocation from browser is disabled by default and all the activity's require authentication to run by default. In this way we hardening our environments and reduce security risks.
***Edited by Moderator Marissa to change Content Type from Idea to Discussion due to Idea content type being deprecated; added Idea specialized tag***