Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Understanding dynamic system settings

Updated on March 15, 2022

To enable greater security in your application, configure the following dynamic system settings to enable greater security in your application before moving your application from development to a production environment.

Dynamic system setting information

As a leading practice, before moving your application from development to a production environment, configure the following dynamic system settings to enable greater security in your application.

Note: When you define security settings using dynamic system settings, the values are stored in the Pega database and are applied to all nodes and are therefore not node specific.
PurposeDefaultSecure settingSecurity Implications
prconfig/alerts/database/operationTimeThreshold/suppressInserts/defaulttruetrueRecommended for all deployments. Prevents SQL statements from being written to the alert log in clear text. By default, all entries in the alert log show all data associated with the alert, including customer ID numbers, passwords, and other sensitive data. Setting this entry to true prevents sensitive data from being written to the alert log. Prevents SQL injection attacks and prevents exposing sensitive information about how data is written to the database.
prconfig/alerts/parameterpage/allowedKeywords/defaultBlankBlankEliminates PII data from the alert log, making it potentially more difficult to resolve the issue reported by the alert. The following keywords are supported: pyActivity, pyStream, action, harnessName,StreamClass, StreamName, ViewClass, ViewPurpose, ViewOwner, objClass, insName, Format, openHandle, ActivityClassToExecute, ActivityNameToExecute, TaskStatus, FlowClass, FlowType, flowType, CustomActivityName, CustomActivityClassName, actionName, productName, productVersion, portal, pyAction, pyClassName, primaryPageClass, ViewInsKey, InsKey, pyReportName, pyReportClass.
prconfig/alerts/parameterpage/remoteFilterType/defaultAllowedAllowedEliminates all clear-text information in the alert log, making it potentially more difficult to resolve the issue reported by the alert.
prconfig/crypto/onewayhashalgorithm/defaultbcryptbcryptHashing algorithm for operator password storage. As a best practice, set this setting before creating the operator that is used during testing. The bcrypt default is salted.
prconfig/Database/dumpStats/defaultfalsefalseRecommended for all development and testing deployments. This is a high-volume-output tool only for use in development and testing environments. Do not use it in production. Prevents exposing sensitive information that could otherwise aid a hacker in predicting system behavior.
prconfig/HTTP/UseNoCacheHeaders/defaulttruetrueRecommended for all deployments. Prevents dynamic content and sensitive information from being cached on the client, regardless of expiration time. Also disables tracer functionality and forces fresh loading of the dynamic content from the server for each request. Prevents session hijacking, injection attacks, and cross-site scripting.
prconfig/initialization/DisableAutoComplete/defaultfalsetrueRecommended for all deployments. This setting prevents client-side storage of user name and password combinations. Use this setting in conjunction with clearing any existing stored sensitive information in the browser.
prconfig/initialization/DisplayExceptionTraceback/defaultfalsefalseRecommended for all deployments. This setting prevents display of stack-trace when an error occurs, and removes the Show Exception Details button, which could expose sensitive information in a production environment.
prconfig/initialization/ProfileApplication/defaultfalsefalseRecommended for all deployments. This setting turns off the Application Profiler, which writes sensitive information to log files.
prconfig/initialization/PromoteEmbeddedPortals/defaultfalsetrueRecommended for all deployments. This setting prevents a Pega Platform HTML frame from being embedded in an invisible additional frame that could contain malicious code.
prconfig/initialization/ErrorOnInvalidThreadName/defaulttruetrueRejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters.
prconfig/Timeout/Browser/default900900 (or fewer)Specifies the time-out value (in seconds) for the user session. If the user does not perform any system action specified by the time-out value, the user session is terminated.
prconfig/Cookie/HTTPOnly/defaulttruetruePrevents client-side JavaScript access to the PegaRULES cookie, for example, session identifier.
prconfig/security/showSQLInListPage/defaulttruefalseSuppresses visibility of generated SQL on the clipboard page.
prconfig/security/UnexpectedInputPropertyAlert/defaulttruetrueIgnores unexpected properties in a request.
prconfig/security/CSP/PolicyEnabled/defaulttruetrueEnables Content Security Policy (CSP) support.
EnableAttributeBasedSecuritytruetrueEnables enforcement of access control policies and access control policy conditions (ABAC).
DiscoverableItemsIncludedForSummaryReportfalsefalseEnables the discoverability feature associated with read-type access control policies.
KeyStoreCacheSize15050 (or more)

Restricts keystore cache size to control how much memory is used.

For more information, see Changing the default keystore caching settings.

security/enableJavaInjectionMitigationfalsetrueEnables java mitigation detection for all ruleset versions.
security/validateReloadParametersfalsetrue

Controls the HTTP response when the pyBlockUnregisteredRequests when rule evaluates to true.

For more information, see Verify requests at the application layer .

prconfig/initialization/SubmitObfuscatedURL/defaultoptionalrequiredRecommended for all deployments. This setting also requires the urlencryption entry to be enabled. These two entries work as a pair, and causes Pega Platform to reject clear-text URLs.
prconfig/initialization/Urldebug/defaultnonenoneRecommended for all deployments. This setting prevents obfuscated URLs from being written to the log file. This prevents exposing potentially sensitive information.
prconfig/initialization/Urlencryption/defaultfalsetrueRecommended for all deployments. This setting works as a pair with SubmitObfuscatedURL. The setting enables or disables the encryption of the URLs.

Note: URL encryption only works in the same session.
operator/stateless/skipDBsavefalsefalseCreate this DSS in the Pega-Engine ruleset. Set this DSS to true to skip operator record updation and DB save. This setting is applicable for stateless requests.
  • Creating a dynamic system setting

    Add a dynamic system settings rule to change default system behavior.

  • Bcrypt hashing algorithm for Password property types

    To provide extra protection against brute-force attacks, Pega Platform uses salted bcrypt as the default hashing algorithm for Password property types. Bcrypt uses a modified key setup algorithm that requires a long time to process. Key strengthening makes a password more secure against brute-force attacks, meaning potential attackers must spend a substantial amount of time testing every possible key.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us