Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Bharath Balasubramanian (BHARATHB)
Cisco Systems
Engineer, IT
Cisco Systems
IN
BHARATHB Member since 2010 10 posts
Cisco Systems
Posted: Sep 17, 2019
Last activity: Jul 24, 2020
Posted: 17 Sep 2019 12:42 EDT
Last activity: 24 Jul 2020 12:34 EDT
Closed

Security Vulnerabilities

Hello All,

As part of our organisation process during the upgrade (8.2.2), we have to perform the analysis of security vulnerabilities using the ibm App scan tool. In that to validate the vulnerabilities, we saw that it complained about the missing header. I also did by adding the header in the DSS as mentioned in the other thread. It did not help.

X-Content-Type-Options":"nosniff"

Thanks & Regards,

Bharath

To see attachments, please log in.
Security

Posted: 5 years ago
Posted: 17 Sep 2019 12:44 EDT
Bharath Balasubramanian (BHARATHB)
Cisco Systems
Engineer, IT
Cisco Systems
IN

The issue still available after the recommendations of another thread added as well. So any kind of help is appreciated

To see attachments, please log in.
Posted: 5 years ago
Posted: 17 Sep 2019 16:03 EDT
Phillip Baggett (BAGGP)
PEGA
Director of Application Security Assessment and Enablement
Pegasystems Inc.
US

Hi BHARATHB
We would be happy to assist with the header setting issue you are seeing but we would need to see additional information.  Given this is security related we would recommend that you open a support request where you can share information securely with our Global Client Support team.

Please reference this post in your SR and let us know the SR Id here so the moderation team can keep an eye on it for you.

To see attachments, please log in.
Posted: 5 years ago
Posted: 18 Sep 2019 1:26 EDT
Bharath Balasubramanian (BHARATHB)
Cisco Systems
Engineer, IT
Cisco Systems
IN

hi Baggp,

Thanks for the suggestion. I have just classified it as security in general and not a security concern from the data to share it here, but we can still discuss about it in the forum if we know the steps to configure it. I am not sure if a SR is required at this moment. If still recommended, I need to check with Cisco & Pega account administrative on the same.

Thanks & Regards,

Bharath

 

 

To see attachments, please log in.
Posted: 4 years ago
Posted: 24 Jul 2020 12:34 EDT
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

Hi Bharath,

Pega doesn’t provide a landing page or dedicated DSS (Dynamic System Setting) for setting specifically that HTTP response header.

However there is an DSS for specifying any additional hardcoded http response headers:

  • Owning Ruleset: Pega-RulesEngine
  • Purpose: http/responseHeaders

The headers should be listed in JSON syntax. You should configure something like this:

DSS Settings showing example HTTP Response headers

No restart is needed, as soon as you save it you should start seeing the extra headers. Don't forget to package this DSS in your product.

More information can be found at: https://community.pega.com/sites/default/files/help_v84/procomhelpmain.htm#security/custom-header/sec-respons-headers-con.htm#HTTP_response_headers

 

These custom response headers will not be returned for certain requests, like requests for static content. If you need extra headers on those responses I recommend you work with your firewall team.

To keep your system clean, I also recommend removing the non-working DSS that you tried to add earlier.

Let me know if that was helpful,

Eric

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice