Verify requests at the application layer
Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.
As a security best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.
Verifying requests when using custom controls describes how to manually configure non-autogenerated controls for increased security.
Using Access Control Checks describes how to identify broken custom code that must be fixed. If you do not fix broken access controls, when you enable security protections and the application goes into hardening, the broken features may stop working or may not work properly.
You can block unauthorized requests by using three when rules, which are defined on @baseclass. The following list describes the when rules that are used to enable the application protection feature.
pzSecureFeatures
When rule name:pzSecureFeatures
- Description: Turns application level checking on or off
- Default value:
True
when- the portal is not Dev
Studio, App Studio, Admin Studio, or
Prediction Studio.
AND
- the client is not mobile or hybrid.
- the portal is not Dev
Studio, App Studio, Admin Studio, or
Prediction Studio.
- Behavior when
true
: Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered"; default behavior. - Behavior when
false
: Application level checking is off.
pyShowSecureFeatureWarnings
When rule name:pyShowSecureFeatureWarnings
- Description: Controls display of a warning to the end user
- Default value:
False
- Behavior when
true
: When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected." - Behavior when
false
: The access control warning is not displayed to the user; default behavior.
pyBlockUnregisteredRequests
When rule name:pyBlockUnregisteredRequests
- Description: Controls the HTTP response
- Default value:
pxProcess.pzProductionLevel ≥ 4
- Behavior when
: When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden.pxProcess.pzProductionLevel ≥ 4
- Behavior when
: The request is processed normally; default behavior.pxProcess.pzProductionLevel < 4
If the pyBlockUnregisteredRequests when
rule evaluates to true
, the following dynamic system setting
becomes applicable:
security/validateReloadParameters
Dynamic system setting name: security/validateReloadParameters
- Description: Controls the HTTP response. This dynamic system setting is installed as part of the Pega Platform version 8.6.6 update and is available in the Pega-Engine ruleset.
- Default value:
false
- Behavior when the dynamic system setting is
true
: If an access violation is found, Pega Platform rejects the HTTP request and security alert SECU0019 appears on the security alert log. - Behavior when the dynamic system setting is
false
: If an access violation is found, Pega Platform accepts the HTTP request and security alert SECU0019 appears on the security alert log.
- Verifying requests when using custom controls
Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.
Previous topic Securing Cosmos React-UI applications Next topic Verifying requests when using custom controls