Links may not function; however, this content may be relevant to outdated versions of the product.
Verifying requests at the application layer
Pega Platform™ protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls. As a best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.
The article Verifying requests when using custom controls describes how to manually configure non-autogenerated controls.
You can verify requests at the application level by using three when rules, which are defined on @baseclass. You can override these when rules in your application. The following table describes the when rules that are used to handle the application protection feature.
When rule name | Description | Default value | Behavior when true | Behavior when false |
---|---|---|---|---|
pySecureFeatures | Turns application level checking on or off | True when (a) the portal is not Dev Studio, App Studio, Admin Studio, or Prediction Studio and (b) the client is not mobile or hybrid. In other words, the access control check is not done when the client is using Dev Studio, App Studio, Admin Studio, or Prediction Studio; and the client is mobile or hybrid. The check is done everywhere else. | Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered" (default behavior). | Application level checking is off. |
pyShowSecureFeatureWarnings | Controls display of a warning to the end user | False | When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected." | The access control warning is not displayed to the user (default behavior). |
pyBlockUnregisteredRequests | Controls the HTTP response | False | When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden. | The request is processed normally (default behavior). |