Question
capgemini
IN
Last activity: 4 Sep 2020 11:55 EDT
NetSParker Scan - Vulnerability issues
I am currently working on the security Vulnerabilitied.
1) What is the 'HTTP strict Transport Security' mechanism and how we can enable the policy in PEGA 7.3.1
2) How does the application issue HSTS policy to User agents.
***Edited by Moderator Marissa to update Pega Academy to Product; update platform capability tags***
Pegasystems Inc.
FR
Hello,
Have you been through the following already: https://community.pega.com/knowledgebase/articles/security/security-checklist
Pegasystems Inc.
NL
Hi Suresh,
HSTS is a security mechanism designed by IETF to protect against things like protocol downgrades.
To use it you need to ensure that specific HTTP Headers are send to the browsers. This can be achieved by configuring custom application headers in Pega: https://community.pega.com/knowledgebase/articles/security/84/using-http-response-headers
This is a server-wide setting, so it will be send to all User Agents accessing any application on it.
Even though this configuration is probably available to you in the 7.3.1 version of Pega, many other security improvements are not. I recommend upgrading to a more modern version of Pega (https://community.pega.com/upgrade), to make it easier to keep your applications secure.
Alternatively you can opt for configuring HSTS headers on your loadbalancer/firewall instead of inside Pega.
Hope this helps,
Eric