Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Cross-Site Request Forgery (CSRF)

Updated on June 11, 2021

Cross-Site Request Forgery (CSRF), also known as an XSRF or a sea surf, is a web security attack in which an intruder tricks customers to perform certain malicious activities on their web applications where they are currently authenticated. When you enable the CSRF token check in the Pega Customer Service application Dev Studio, the system defends activities and streams from the CSRF attack.

Pega Customer Service Implementation Guide Pega Customer Service Implementation Guide

CSRF Settings for chat-specific activities and streams

Enabling CSRF Settings prevents unwanted attacks on customer web applications. In the following use case, the system performs the CSRF check on all activities and streams except chat-specific activities and streams.

  1. In the header of Dev Studio, click ConfigureSystemSettingsCross-Site Request Forgery.
    Result: The system opens the Cross-Site Request Forgery page.
  2. In the Cross-Site Request Forgery (CSRF) Settings section, select the Enable CSRF token check radio button.
    Result: The system displays the Secure section with the following two options:
    • All activities & streams: Secures all activities and streams except the specified activities.
    • Specific activities & streams: Secures only specific activities and streams and allows the rest.
    Note: Enabling the CSRF check doesn’t allow the chatbot to load on a web page.
  3. To exclude CSRF check on the chat-specific activities and streams, perform the following tasks:
    1. In the Secure section, select All activities & streams.
    2. In the Allowed Activities field, enter the following activities to exclude them from the CSRF check:
      • SetChatParams
      • GetCoBrowseConfigurations
      • czInvokeRouting
      • czUpdateConversationOnChatClosure

    3. In the Allowed Streams field, enter the ProcessChatAPI stream to exclude the stream from the CSRF check.
  4. In the Referrer Settings section, perform the following steps:
    1. To enable referrer check, select the Enable referrer check check box.
      Note:
      • When you select the Enable referrer check option, the system white lists the specified referrer URLs from the CSRF check.
    2. In the Allowed referrers field, enter the following URLs:
      • https://pegafpssdev.pg.com
      • https://pegafpsschatdev.pg.com
      Specifying allowed activities, streams, and referrer URLs in CSRF Settings
      CSRF Settings displaying the allowed activities, streams, and referrer URLs
  5. To save the changes, click Submit.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us