Verify requests at the application layer
Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.
As a security best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.
Verifying requests when using custom controls describes how to manually configure non-autogenerated controls for increased security.
Using Access Control Checks describes how to identify broken custom code that must be fixed. If you do not fix broken access controls, when you enable security protections and the application goes into hardening, the broken features may stop working or may not work properly.
You can block unauthorized requests by using three when rules, which are defined on @baseclass. The following list describes the when rules that are used to enable the application protection feature.
pzSecureFeatures
When rule name:pzSecureFeatures
- Description: Turns application level checking on or off
- Default value:
True
when- the portal is not Dev
Studio, App Studio, Admin Studio, or
Prediction Studio.
AND
- the client is not mobile or hybrid.
- the portal is not Dev
Studio, App Studio, Admin Studio, or
Prediction Studio.
- Behavior when
true
: Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered"; default behavior. - Behavior when
false
: Application level checking is off.
pyShowSecureFeatureWarnings
When rule name:pyShowSecureFeatureWarnings
- Description: Controls display of a warning to the end user
- Default value:
False
- Behavior when
true
: When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected." - Behavior when
false
: The access control warning is not displayed to the user; default behavior.Note: pyBlockUnregisteredRequests is active by default when the application is in production, shown in pxProcess.pzProductionLevel ≥ 2.
pyBlockUnregisteredRequests
When rule name:pyBlockUnregisteredRequests
- Description: Controls the HTTP response
- Default value:
pxProcess.pzProductionLevel ≥ 2
Note: The default value is False
when the production level is < 2. When the production level is changed to 2, the value changes toTrue
. - Behavior when
: When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden.pxProcess.pzProductionLevel ≥ 2
- Behavior when
: The request is processed normally; default behavior.pxProcess.pzProductionLevel < 2
Pega Platform version 8.5 introduced this feature. When
pyBlockUnregisteredRequests is enabled in development,
the application development team can detect and respond to any problems with
unauthorized or unregistered requests well ahead of application staging and
production deadlines. In Pega Platform versions 8.5.6 and
higher, 8.6.3 and higher, and 8.7 and higher, the when rule
blocks unauthorized requests by default at production level 2 (Development/Test)
or higher. In versions prior to 8.5.6, 8.6.3, and 8.7, the
when rule blocks unauthorized requests by default at
production level values of 4 (4 is Staging, 5 is Production) or higher. See
Verifying
requests when using custom controls for registration steps for the
user request based on the various scenarios. As a security best practice, ensure
that you properly enable pyBlockUnregisteredRequests to
return a value of True
to block unregistered requests.
- Verifying requests when using custom controls
Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.
Previous topic Securing Cosmos React-UI applications Next topic Verifying requests when using custom controls