Applies to Pega Platform™ 7, the major release and its minor and patch releases, and Pega Platform™ 8, the major release and its minor and patch releases
Objective
What is Content Security Policy?
Supported attributes for the script-src and style-src directives
Pega Platform security testing
Security best practices for Traditional UI
Alternative approaches
Related content
Objective
The goal of this document is to clarify the supported attributes for the Content-Security-Policy (CSP) header in the Traditional UI rendering and to suggest best practices if some settings are required for your application.
What is Content Security Policy?
Content Security Policy (CSP) is the name of a HTTP response header that modern browsers use to enhance document (or web page) security. The Content-Security-Policy header allows you to restrict resources, such as the use of JavaScript or CSS. The Unsafe-inline and Unsafe-eval keywords allow the use of inline scripts or styles and evals in your application. See The unsafe-inline Source List Keyword.
Supported attributes for the script-src and style-src directives
Pega Traditional UI architecture must have unsafe-inline and unsafe-eval attributes checked for the ‘script-src’ directive.
Pega Traditional UI architecture must have the unsafe-inline attribute checked for the ‘style-src’ directive.
The eval() function is used in the user portal for the following features:
- Expression evaluation (Visible When, Refresh When)
- Processing of Run Script action
- Processing of general actions for the table component and other controls
Removing the reliance on inline JavaScript and the use of the eval() function introduces significant backward compatibility and upgradeability challenges. To mitigate XSS vulnerabilities, the Pega platform processes any user input data and properly escapes HTML control characters before storing, before serving back to the client, and before being rendered in the client.
Pega Platform security testing
Pega Platform is used by some of the world’s largest private sector companies and government agencies. Our software is subject to thorough penetration tests performed by these organizations as well as by independent third-party evaluators. In addition to static analysis of the code, our software is also subjected to engineered threat testing to exploit vulnerabilities. Static analysis will report vulnerabilities. Every attempt is made to efficiently mitigate and prevent any factual vulnerabilities. Pega Platform releases are also tested for XSS prior to becoming generally available. When specific vulnerabilities are found, our policy is to address them in later patch releases and as hotfixes, if extremely urgent.
Security best practices for Traditional UI
To make sure that your application is working with the highest level of security, apply the following best practices:
- Ensure that you update your application to the latest major and minor version of Pega Platform. See Keeping current with Pega.
- Ensure that you are staying within the latest guardrails. Running the guardrails compliance tools in Dev Studio is a great starting point.
- Keep your Pega software up to date by applying the latest patches as they become available; patches are likely to contain valuable security updates. See Keeping current with Pega.
- Review any custom JavaScript added in your application layer for security issues. See the Security Checklist.
For more information on security policies, see Content security policies.
Alternative approaches
For customers building new applications, two alternative approaches are available:
These approaches are not recommended for existing applications because they require additional migration effort.
Leverage SDKs and DX API
If you need to expose some of your case types to your customers while setting the CSP directive scrip-src to self only, and you do not have the ability to update your application to use the Constellation UI architecture, the best practice is to build your own UI rendering using the DX Starter Packs, DX SDKs, or by leveraging the DX API directly. For more information, see Pega Digital Experience (DX) API.
Constellation UI
Pega is working on Constellation UI, the next generation of front-end architecture based on ReactJS. Constellation UI avoids the use of the eval() function and any inline JavaScript. It is available for production use starting with Pega Platform version 8.7. However, like all new software, it does not yet have all the capabilities of Pega Traditional UI. See Constellation. Also, the Pega CRM applications and Industry Application and Foundation are not yet compatible with Constellation UI.
Related content
Unsafe inline and Unsafe eval in CSP
The unsafe-inline Source List Keyword