Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Dyan Baur (DyanG412)
Hawaii Medical Service Association

Hawaii Medical Service Association
US
DyanG412 Member since 2013 212 posts
Hawaii Medical Service Association
Posted: Feb 11, 2016
Last activity: Jun 26, 2017
Posted: 11 Feb 2016 15:22 EST
Last activity: 26 Jun 2017 9:17 EDT
Closed
Solved

How do we resolve, "This application's Content Security Policy on the Integration tab has been left blank. It is recommended to use a default policy or create your own prior to migrating to a production environment."?

This is information warning in application rule.

To see attachments, please log in.

  • Jenni Murugesan
Posted: 8 years ago
Posted: 11 Feb 2016 17:00 EST
Murali Kakarla (Muralik7)
Infosys

Infosys
AU

Did you try setting Policy name and mode on Integration & Security tab on Application rule form? Following is the screenshot from 7.1.7

     AUT01.png    

Murali...

To see attachments, please log in.
Posted: 8 years ago
Posted: 11 Feb 2016 17:12 EST
Matthew Morency (morem) Senior Principal Cloud Security Engineer
Pegasystems Inc.
US

I am assuming that the application in question is going to be used in production.  If so, I would encourage you to develop a customized content security policy rather than using pxDefaultAllowAll to make the warning go away.  A content security policy will help to reduce your exposure to a variety of security threats by limiting the content in your application to only the sources that you white list. 

To see attachments, please log in.
Posted: 8 years ago
Posted: 12 Feb 2016 6:53 EST
Dyan Baur (DyanG412)
Hawaii Medical Service Association

Hawaii Medical Service Association
US

hi Matthew,

is there any more details about the content security policy that i can refer ?

To see attachments, please log in.
Posted: 8 years ago
Posted: 12 Feb 2016 7:40 EST
Matthew Morency (morem) Senior Principal Cloud Security Engineer
Pegasystems Inc.
US

Gyan,

Probably the best first stop on learning about content security policy is the wikipedia article (Content Security Policy - Wikipedia, the free encyclopedia).  You will notice that the article quickly goes into technical detail, fortunately the content security policy rule allows you to avoid having to deal with the details and focus on the setting up your white lists for content sources.  A good source on setting up a Content Security Policy is the PRPC help (which you can also get through the PDN at https://community.pega.com/sites/default/files/help_v72/procomhelpmain.htm).

Matt

To see attachments, please log in.
Posted: 7 years ago
Posted: 16 Jun 2017 16:36 EDT
Geeta Ramani (Geeta Ramani)
StratosphereTC
Senior Consultant
StratosphereTC
US

Hi Matt,
Ours is a 7.1.5 application. Can you tell us how we can create a Content Security Policy in Pega 7.1.5?

 

Many thanks in advance!

Geeta

To see attachments, please log in.
Posted: 7 years ago
Posted: 16 Jun 2017 16:37 EDT
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi Geeta,

Content Security Policy was not introduced in Pega until 7.1.6.  I would suggest that you look at this reference for adding a policy via your load balancer or web server:  https://content-security-policy.com/

 

To see attachments, please log in.
Posted: 7 years ago
Posted: 25 Jun 2017 23:37 EDT
Abhijith Kolanakuduru (abhijith_telstra)
Telstra
Abhijith Kolanakuduru
Telstra
AU

Assuming most of the Pega Apps are in internal network, it'd be nice to know which OOTB Content Security Policy rule we can use so that we don't have to customize.

To see attachments, please log in.
Posted: 7 years ago
Posted: 26 Jun 2017 9:17 EDT
Brad Tainter (Br@dTainter_GCS)
PEGA
Fellow, Technical Support, Platform Service
Pegasystems Inc.
US

Hi Abhijith,

Pega 7 comes with 2 Content Security Policies out of the box:  pxDefaultAllowAll and pxDefaultSecured.  You can open up those rules and review the policies in place for each.  On the application rule you can defined to reject and report or report only.  You may consider setting the policy to report only for each to see what the headers that get specified are on the response.  Then you can review and determine which on to put in place.  https://community.pega.com/sites/default/files/help_v722/procomhelpmain.htm

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice