Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Enabling and configuring Cross-Site Request Forgery settings

Updated on July 1, 2021

Configure cross-site request forgery settings (CSRF) to prevent users from unintentionally making changes because of a CSRF attack. You can set validation for activities and streams, add host names to an allow list, and specify host names that you want checked for a CSRF token.

  1. In the header of Dev Studio, click ConfigureSystemSettingsCross-Site Request Forgery.
  2. Optional: To prevent the browser from submitting the PegaRULES cookie in a request from a non-originating site,complete the following steps:
    1. Select the Enable samesite cookie attribute checkbox.
    2. In the Samesite Options list, choose one of the following options:
      • None – If you select this option, Pega Platform offers no protection. The browser attaches the cookies in all cross-site browsing contexts.
      • Lax – If you select this option, Pega Platform provides a reasonable balance between security and usability for websites that want to maintain logged-in sessions after users arrive from an external link. The browser does not send cookies in requests from non-originating sites.
      • Strict – If you select this option, Pega Platform prevents the browser from sending cookies to the target site in all cross-site browsing contexts, including when following a regular link.
    For more information about samesite cookies, refer to the documentation from owasp.org.
  3. To enable CSRF settings, select Enable CSRF token check.
    Selecting this check box will enable the CSRF token validation.
  4. If you have enabled CSRF token check, select one of the following Secure fields:
    All activities & streams
    CSRF validation checks all activities and streams for CSRF tokens in your system. If you select this option, you can specify certain streams and activities to be excluded from CSRF token validation by entering them in the Allowed Activities field and the Allowed Streams field. Separate multiple activities and streams with commas.
    Specific activities & streams
    CSRF validation checks the activities and streams that you specify in the Secured Activities and Secured Streams fields for CSRF tokens. Separate multiple activities and streams with commas.
  5. Optional: To add names to a safe "allow list" of host names to ignore during CSRF token validation, perform the following actions.
    1. In the Referrer Settings section, select Enable referrer check.
    2. Select the Allow domains only if matches exactly with Referrer check box to allow requests which exactly match the URL given in the Allowed referrers field.
      • If Enable referrer check is checked and http://pega.com is provided in Allowed referrers, then http://pega.com.xyz is valid, but http://xyz.pega.com is not valid.
      • If Allow domains only if matches exactly with Referrer is checked in addition to the conditions above, only the exact match http://pega.com is valid, but not http://pega.com.xyz or http://xyz.pega.com.
    3. In the Allowed referrers field, enter host names that you want to be checked for a CSRF token. Separate multiple host names with commas.
  6. Click Submit.
  7. If you changed the value of Enable CSRF token check, you must restart your system for the new value to take effect.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us