Question
Tech Mahindra
CA
Last activity: 24 Jul 2020 13:13 EDT
Application's Content Security Policy
What is the impact on the Out of the Box functionalities of using "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4"?
***Edited by Moderator Marissa to update Support Case Details***
Tech Mahindra
CA
To elaborate the above question a little:
During one of the Security Scans of our application, we got the following comment from the system:
"Insufficient Content Security Policy – While the application implements a Content Security Policy (CSP), this policy is exceptionally lax and provides little to no protection. If the application is opened in modern browsers, including Edge, the policy also allows the application to be loaded into an IFRAME overruling other security headers."
Any help in this regard is appreciated.
Pegasystems Inc.
US
Hi Samik,
Pega provides the capability to add Content Security Policies as described in the following URL: https://community.pega.com/sites/default/files/help_v74/procomhelpmain.htm#rule-/rule-access-/rule-access-csp/main.htm
You should be able to make use of "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4". Testing needs to be completed to validate your application isn't impacted by the policy configuration. As every application can be different, if adjustments need to be made, then you can SaveAs from the default policy to your own policy.
Regarding your finding above, I have asked the engineer under the related case to open a product SR to review the details from your scan.
Tech Mahindra
CA
Thanks, Br@dTainter_GCS! I have created INC-133689 for this.
Updated: 2 Jul 2020 23:12 EDT
Maantic Inc
US
Can you check your application is enabled with Cross-Site Request Forgery (CSRF) settings, if it is enabled it will prevent your application from IFRAME loading in third party application.
Reference link
https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection
After the DSS add or change, restart the server and do the security scan.
CSRF example
<!DOCTYPE html>
<html>
<body>
<h1>The iframe element</h1>
<iframe src="https://www.w3schools.com" title="W3Schools Free Online Web Tutorials">
</iframe>
</body>
</html>
If you run this code from local or any server, W3schools won't allow to show the website in Iframe. Our pega app also should work this way.
Pegasystems Inc.
NL
Hi Samik and John,
The IFraming issues are not directly relates to CSRF configuration.
The Frame-Ancestors directive in your CSP (Content Security Policy) probably needs a stricter policy. Configure your own policy based on the pxDefaultSecured and update that directive as suggested by Brad.
Also, to protect the login screen, set the DSS prconfig/initialization/PromoteEmbeddedPortals/default to true. As described in https://community.pega.com/knowledgebase/articles/security/dynamic-system-settings-application-security
Please also consider upgrading to the most recent Pega version to get various security enhancements.
Eric