Security issue when publish on internet
Hi All,
I have plan to publish Pega System in the internet connection, is there any security issue about this ?
Because i have try to change pega url with xss scripting, it's showing like in attachment ?
How can I solve that ?
Thanks
Brgds,
Dendi
***Moderator Edit: Vidyaranjan | Updated SR details***
Accepted Solution
Pegasystems Inc.
US
Upon reviewing the associated SR, I see that the resolution was as follows. Please do this if you are having the same trouble:
Add below DSS in Designer Studio and prconfig.xml.
DSS:
Pega-Engine: Security/CSRF/secureall = true
Pega-Engine: Security/CSRF/mitigation = true
Prconfig.xml:
< env name="security/urlaccessmode" value="deny" />
< env name="initialization/ErrorOnInvalidThreadName" value="true" />
A server restart is required after making these changes
JPMorgan Chase & Company
US
Pega DWA is Direct web access, you can refer below help document.
https://community.pega.com/sites/default/files/help_v719/procomhelpmain.htm
JPMorgan Chase & Company
US
Hi,
The easiest way to avoid this is to only use autogenerated UI rules.If you must use a nonautogenerated rule, always ensure the value has been properly filtered and escaped before displaying it back to the user.
PT Bank Sinarmas
ID
Hi,
My plan is only open internet connection to Pega Application Server.
And when user want to access the application, he/she must be login using default pega system login form.
Is there additional action to do in Pega System when publish to internet for this security issue ?
Brgds,
Dendi A
Pegasystems Inc.
US
Hi,
IAC stands for Internet Application Composer.
I think you can go through the below links for better understanding.
https://pdn.pega.com/deploying-internet-application-composer-iac-intranet
https://pdn.pega.com/configuring-pega-web-mashup-authentication-composite-application
Regards,
Rachit
Pegasystems Inc.
US
Hi Dendi,
For the original issue, please refer to the following article:
https://docs-previous.pega.com/secu0005-alert-thread-name-url-contains-invalid-characters
Hi Dendi,
For the original issue, please refer to the following article:
https://docs-previous.pega.com/secu0005-alert-thread-name-url-contains-invalid-characters
You would need to set <env name="initialization/ErrorOnInvalidThreadName" value="true" />
Pegasystems Inc.
US
Hi Dendi,
Please open up an SR so the issue can investigated. Once you do, please add the SR # to the post here.
Thanks!
Pegasystems Inc.
IN
Hi
You can try giving the following DSS setting.
Pega-Engine - prconfig/initialization/erroroninvalidthreadname/default -> true
Pega-Engine - Security/CSRF/secureall -> true
Pega-Engine - Security/CSRF/mitigation -> True
Thank you
Anuj
Accepted Solution
Pegasystems Inc.
US
Upon reviewing the associated SR, I see that the resolution was as follows. Please do this if you are having the same trouble:
Add below DSS in Designer Studio and prconfig.xml.
DSS:
Pega-Engine: Security/CSRF/secureall = true
Pega-Engine: Security/CSRF/mitigation = true
Prconfig.xml:
< env name="security/urlaccessmode" value="deny" />
< env name="initialization/ErrorOnInvalidThreadName" value="true" />
A server restart is required after making these changes