Our cybersecurity team scanned our PEGA 7.2.2 Dev environment. The results show a medium vulnerability for ‘HTML form without CSRF protection’. After reading the PDN article, PEGA recommends implementing the following settings.
After adding these settings and restarting server, our cybersecurity team performed another scan. However, the results were the same. Can anyone help us understand how to remedy the issue…
Please open up a support request and include the vulnerability report. A GCS support engineer will be better able to assist as to what is going on with those details. Once you open the support request, please reply here with the SR #.
After looking at this example it appears our URL in our dev environment has the token. I also compared our Dev environment with our QA environment. The QA does not because CSRF was not implemented so that makes sense...so far. Our Dev does appear to have token so maybe it's not a PEGA issue. But I will look deeper to confirm my understanding of the issue.