A Pega environment comes with a lot of service package rules preinstalled. Quite some of them have the option Requires authentication unchecked.

The Pega security checklist required these service packages to be secured:

https://docs-previous.pega.com/security/87/security-checklist-core-tasks

Securely authenticate attempts to access services

Verify that all default service packages and custom authentication services are secured appropriately. To prevent unauthorized access of services not in use, ensure that the Service Package instances have, at minimum, basic authentication enabled and require TLS. Ensure that each service package uses a strong authentication profile and requires TLSv1.2 or later.

However, after securing the service package rules by requiring authentication and using basic authentication with TLS, the SSO functionality stopped working and the basic-authentication-popup was blocking users to login.

It seems the WebSSO service package rules is configured without requiring authentication by purpose, see https://support.pega.com/question/securtity-concerns-pega-ootb-service-packages

Which of the service package rules that are not secured by default should be secured and which not? The history tab doesn't guide in this as e.g. the WebSSO service package rules history is empty.