Applies to Pega Platform™ 7, the major release and its minor and patch releases, and Pega Platform™ 8, the major release and its minor and patch releases
What is Content Security Policy?
Supported attributes for the script-src directive
Pega Platform security testing
Security best practices for section-based UI
The goal of this document is to clarify the supported attributes for the Content-Security-Policy (CSP) header in the section-based UI rendering and to suggest best practices if some settings are required for your application.
Pega section-based UI architecture must have unsafe-inline and unsafe-eval attributes checked for the ‘script-src’ directive.
The eval() function is used in the user portal for the following features:
- Expression evaluation (Visible When, Refresh When)
- Processing of Run Script action
- Processing of general actions for the table component and other controls
Pega Platform is used by some of the world’s largest private sector companies and government agencies. Our software is subject to thorough penetration tests performed by these organizations as well as by independent third-party evaluators. In addition to static analysis of the code, our software is also subjected to engineered threat testing to exploit vulnerabilities. Static analysis will report vulnerabilities. Every attempt is made to efficiently mitigate and prevent any factual vulnerabilities. Pega Platform releases are also tested for XSS prior to becoming generally available. When specific vulnerabilities are found, our policy is to address them in later patch releases and as hotfixes, if extremely urgent.
To make sure that your application is working with the highest level of security, apply the following best practices:
- Ensure that you update your application to the latest major and minor version of Pega Platform. See Keeping current with Pega.
- Ensure that you are staying within the latest guardrails. Running the guardrails compliance tools in Dev Studio is a great starting point.
- Keep your Pega software up to date by applying the latest patches as they become available; patches are likely to contain valuable security updates. See Keeping current with Pega.
For more information on security policies, see Content security policies.
For customers building new applications, two alternative approaches are available:
These approaches are not recommended for existing applications because they require additional migration effort.
If you need to expose some of your case types to your customers while setting the CSP directive scrip-src to self only, and you do not have the ability to update your application to use the Cosmos React architecture, the best practice is to build your own UI rendering using the DX Starter Packs, DX SDKs, or by leveraging the DX API directly. For more information, see Pega Digital Experience (DX) API.