Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Verifying requests at the application layer

Updated on September 10, 2021

Pega Platform™ protects access to information in your application by using role-based settings and access control policies.  Pega Platform provides additional request verification when you use autogenerated controls.  As a best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.

The article Verifying requests when using custom controls describes how to manually configure non-autogenerated controls.

You can verify requests at the application level by using three when rules, which are defined on @baseclass.  You can override these when rules in your application. The following table describes the when rules that are used to handle the application protection feature.  

Note: When pySecureFeatures is false, no access checking is performed and the other two when rules are ignored.
When rule nameDescriptionDefault valueBehavior when trueBehavior when false
pySecureFeaturesTurns application level checking on or off

True when (a) the portal is not Dev Studio, App Studio, Admin Studio, or Prediction Studio and (b) the client is not mobile or hybrid.

In other words, the access control check is not done when the client is using Dev Studio, App Studio, Admin Studio, or Prediction Studio; and the client is mobile or hybrid. The check is done everywhere else.

Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered" (default behavior).Application level checking is off.
pyShowSecureFeatureWarningsControls display of a warning to the end userFalseWhen an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected."The access control warning is not displayed to the user (default behavior).
pyBlockUnregisteredRequestsControls the HTTP responseFalseWhen an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden.The request is processed normally (default behavior).
As described in the table above, the default behavior of pyBlockUnregisteredRequests is to process unregistered requests, without issuing an HTTP error. This default allows your application to behave as expected while you work on configuring your custom controls as described in Verifying requests when using custom controls.  Once you have ensured that all of your custom controls have been configured, override pyBlockUnregisteredRequests so that it returns true and blocks unregistered requests.




Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us