Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Verify requests at the application layer

Updated on June 30, 2021

Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.

As a security best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.

Verifying requests when using custom controls describes how to manually configure non-autogenerated controls for increased security.

Using Access Control Checks describes how to identify broken custom code that must be fixed. If you do not fix broken access controls, when you enable security protections and the application goes into hardening, the broken features may stop working or may not work properly.

You can block unauthorized requests by using three when rules, which are defined on @baseclass. The following list describes the when rules that are used to enable the application protection feature.

Note: When pzSecureFeatures is false, no access checking is performed and the other two when rules are ignored.

pzSecureFeatures

When rule name:pzSecureFeatures

  • Description: Turns application level checking on or off
  • Default value:True when
    • the portal is not Dev Studio, App Studio, Admin Studio, or Prediction Studio.

      AND

    • the client is not mobile or hybrid.
    In other words, the access control check is not done when the client is using Dev Studio, App Studio, Admin Studio, or Prediction Studio and the client is mobile or hybrid. The check is done everywhere else.
  • Behavior when true: Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered"; default behavior.
  • Behavior when false: Application level checking is off.

pyShowSecureFeatureWarnings

When rule name:pyShowSecureFeatureWarnings

  • Description: Controls display of a warning to the end user
  • Default value:False
  • Behavior when true: When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected."
  • Behavior when false: The access control warning is not displayed to the user; default behavior.

pyBlockUnregisteredRequests

When rule name:pyBlockUnregisteredRequests

  • Description: Controls the HTTP response
  • Default value:pxProcess.pzProductionLevel ≥ 4
    Note: The default value is False when the production level is < 4. When production level is changed to 4, the value changes to True.
  • Behavior when pxProcess.pzProductionLevel ≥ 4: When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden.
  • Behavior when pxProcess.pzProductionLevel < 4: The request is processed normally; default behavior.
Note:

Pega Platform version 8.5 introduced this feature. When pyBlockUnregisteredRequests is enabled in development, the application development team can detect and respond to any problems with unauthorized or unregistered requests well ahead of application staging and production deadlines. In Pega Platform versions 8.5.6 and higher and 8.6.3 and higher, the when rule blocks unauthorized requests by default at production level 2 (Development/Test) or higher. In versions prior to 8.5.6 and 8.6.3, the when rule blocks unauthorized requests by default at production level values of 4 (4 is Staging, 5 is Production) or higher. See Verifying requests when using custom controls for registration steps for the user request based on the various scenarios. As a security best practice, ensure that you properly enable pyBlockUnregisteredRequests to return a value of True to block unregistered requests.

If the pyBlockUnregisteredRequests when rule evaluates to true, the following dynamic system setting becomes applicable:

security/validateReloadParameters

Dynamic system setting name: security/validateReloadParameters

  • Description: Controls the HTTP response. This dynamic system setting is installed as part of the Pega Platform version 8.6.6 update and is available in the Pega-Engine ruleset.
  • Default value:false
  • Behavior when the dynamic system setting is true: If an access violation is found, Pega Platform rejects the HTTP request and security alert SECU0019 appears on the security alert log.
  • Behavior when the dynamic system setting is false: If an access violation is found, Pega Platform accepts the HTTP request and security alert SECU0019 appears on the security alert log.

  • Verifying requests when using custom controls

    Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us