Security settings in the prconfig.xml file
The prconfig.xml file and Dynamic System Settings include parameters that control access to the Pega Platform™ database. As a best practice, use the Dynamic System Settings rather than editing the prconfig.xml file. Edit the prconfig.xml file to overwrite Dynamic System Settings that apply to a specific node. For more information, see Modifying the prconfig.xml file and Dynamic System Settings.
Because settings in the prconfig.xml file might have been changed during development or might be inappropriate for a production environment, review the contents of this file before moving an application to production.
Not all these entries are relevant to your environment or security policies. Add only the entries that are suitable for your application and environment.
Many of the settings can be applied to your deployment environment as Dynamic System Settings by adding the prefix prconfig/ and appending the suffix /default to each setting. For example, a prconfig.xml setting cookie/HttpOnly as a Dynamic System Setting setting is prconfig/cookie/HttpOnly/default. For more information, see Default Dynamic System Settings data instances.
If you are using custom authentication, review the Security implications column to determine how to match the behavior of the settings to your configuration.
| Category | Entry name | Default setting | Secure setting | Security implications |
|---|---|---|---|---|
| Alerts/database | operationTimeThreshold/suppressInserts | true | true | Recommended for all deployments. Prevents SQL statements from being written to the alert log in clear text. By default, all entries in the alert log show all data associated with the alert, including customer ID numbers, passwords, and other sensitive data. Setting this entry to true prevents sensitive data from being written to the alert log. Prevents SQL injection attacks and prevents exposing sensitive information about how data is written to the database. |
| Alerts/general | Includeparameterpage | false | false | Determines whether the parameter page of the topmost stackframe is included in the alert log when the alert is generated. Depending on what is processed when the alert is generated, the data from a work item or other sensitive records could be included in the log. The default behavior prevents Pega Platform from writing sensitive data to the alert log, which is a clear-text file. Setting this value to true will cause parameter page data to be written to the log. |
| Alerts/parameterpage | obfuscateKeywords | Blank | See the Security implications column. | Lists alert keywords that are omitted from the alert content. The default setting automatically includes the operator‘s identifier and password. Add keywords as needed to ensure that all personally identifiable information (PII) is eliminated from the alert log. |
| Alerts/parameterpage | allowedKeywords | Blank | Blank | Eliminates PII data from the alert log, making it potentially more difficult to resolve the issue reported by the alert. The following keywords are supported: pyActivity, pyStream, action, harnessName, StreamClass, StreamName, ViewClass, ViewPurpose, ViewOwner, objClass, insName, Format, openHandle, ActivityClassToExecute, ActivityNameToExecute, TaskStatus, FlowClass, FlowType, flowType, CustomActivityName, CustomActivityClassName, actionName, productName, productVersion, portal, pyAction, pyClassName, primaryPageClass, ViewInsKey, InsKey, pyReportName, pyReportClass. |
| Alerts/parameterpage | remoteFilterType | Allowed | Allowed | Eliminates all clear-text information in the alert log, making it potentially more difficult to resolve the issue reported by the alert. |
| authentication | UsePreauthenticationCookie | true | true | By default, Pega Platform generates a cookie for each user to track the user's requestor ID throughout the user session. The setting adds security to the cookie and helps guard against replay attacks. If this entry is set to false, the cookie contains the same value whether the user is authenticated or not. If this entry is set to true, Pega Platform uses a different cookie value when the requestor is not authenticated. |
| crypto | onewayhashalgorithm | bcrypt | bcrypt | Hashing algorithm for operator password storage. As a best practice, set this setting before creating the operator that is used during testing. The bcrypt default is salted. |
| crypto | v5portable | true | true | Recommended for all deployments. The setting adds complexity to reversible encryption when using the Pega Platform portable cipher by adding a 128-bit AES-based cipher to the v5oneway encryption process above to strengthen the encryption. |
| Database | dumpStats | false | false | Recommended for all development and testing deployments. This is a high-volume-output tool only for use in development and testing environments. Do not use it in production. Prevents exposing sensitive information that could otherwise aid a hacker in predicting system behavior. |
| HTTP | SetSecureCookie | false | true | Use this setting if running Pega Platform over HTTPS. The browser sends cookies only across SSL. This setting prevents exposure of the session ID cookie and prevents session hijacking. |
| HTTP | UseNoCacheHeaders | false | true | Recommended for all deployments. Prevents dynamic content and sensitive information from being cached on the client, regardless of expiration time. Also disables tracer functionality and forces fresh loading of the dynamic content from the server for each request. Prevents session hijacking, injection attacks, and cross-site scripting. |
| Initialization | DisableAutoComplete | false | true | Recommended for all deployments. This setting prevents client-side storage of user name and password combinations. Use this setting in conjunction with clearing any existing stored sensitive information in the browser. |
| Initialization | DisplayExceptionTraceback | true | false | Recommended for all deployments. This setting prevents display of stack-trace when an error occurs, and removes the Show Exception Details button, which could expose sensitive information in a production environment. |
| Initialization | ProfileApplication | false | false | Recommended for all deployments. This setting turns off the Application Profiler, which writes sensitive information to log files. |
| Initialization | PromoteEmbeddedPortals | false | true | Recommended for all deployments. This setting prevents a Pega Platform HTML frame from being embedded in an invisible additional frame that could contain malicious code. |
| Initialization | SubmitObfuscatedURL | optional | required | Recommended for all deployments. This setting also requires the urlencryption entry to be enabled. These two entries work as a pair. Causes Pega Platform to reject clear-text URLs. |
| Initialization | Urldebug | none | none | Recommended for all deployments. This setting prevents obfuscated URLs from being written to the log file. This prevents exposing potentially sensitive information. |
| Initialization | Urlencryption | false | true | Recommended for all deployments. This setting works as a pair with SubmitObfuscatedURL. The setting enables or disables the encryption of the URLs. |
| Initialization | ErrorOnInvalidThreadName | false | true | Rejects requests that contain invalid characters in the threadname of the URL that potentially can be malicious, for example, symbol characters. |
| Timeout | Browser | 3600 | 900 (or fewer) | Specifies the time-out value (in seconds) after which inactive users are passivated. |
| Cookie | HTTPOnly | false | true | Prevents client-side JavaScript access to the PegaRULES cookie (for example, session identifier). |
| Security | showSQLInListPage | true | false | Suppresses visibility of generated SQL on the clipboard page. |
| Security | UnexpectedInputPropertyAlert | true | true | Ignores unexpected properties in a request. |
| Security/CSP | PolicyEnabled | true | true | Enables Content Security Policy (CSP) support. |