Skip to main content

This content is closed to future replies and is no longer being maintained or updated.
Links may no longer function. If you have a similar request, please write a new post.

Question

 Fred Goldbach (FredG487)
Highmark Health
Fred Goldbach
Highmark Health
US
FredG487 Member since 2009 38 posts
Highmark Health
Posted: Sep 18, 2020
Last activity: Sep 18, 2020
Posted: 18 Sep 2020 9:00 EDT
Last activity: 18 Sep 2020 11:34 EDT
Closed

Webserver question: Options HTTP method - Is this needed?

Hello! 

I have a vulnerability on the webserver. If I understand this correctly it is because we have the HTTP OPTIONS Method enabled. I am being asked to disable this option.  Is this something that needs enabled for Pega to work? Is this specific to a Pega version to work?  I support several Pega versions from 6.2 to 8.4.1. 

Thanks!

To see attachments, please log in.
Pega Platform
System Administration
Cross-Industry
System/Cloud Ops Administrator

Posted: 4 years ago
Posted: 18 Sep 2020 11:34 EDT
Eric Rietveld (Eric Rietveld) Principal System Architect
Pegasystems Inc.
NL

Hi Fred,

By default, Pega Platform uses only POST and GET http methods, so other HTTP methods like OPTIONS can be disabled at the application server level. (https://community.pega.com/sites/default/files/help_v84/procomhelpmain.htm#security/best-practices/sec-security-guidelines-for-test-env-ref.htm)

Even though I think this is also true for older versions including 6.2. I recommend upgrading to a more recent version for enhanced security in many other areas.

If you're using CORS you might need to further investigate to ensure you're not dependent on the OPTIONS method.

Kind regards,

Eric

To see attachments, please log in.

We'd prefer it if you saw us at our best.

Pega Collaboration Center has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice