Set the policy directives for each category displayed. Click the title of a category to display or hide its fields.
The Base-URI directive governs the document base URL. Most websites use a relative link system, which informs a web browser where a resource is relative to its location. A browser uses the document's base Uniform Resource Identifier (URI) and the relative link to create a full path to that resource. An attacker who controls the base URI can force the user's browsers to pull potentially malicious content from the attacker's site.
The Connect-Src directive restricts the URLs that the protected resource can load. This restriction includes, but is not limited to, EventSource, WebSocket, and XMLHttpRequest (the driving source behind AJAX) connections. Limiting the XMLHttpRequest connection sources can protect users from attacks where an attacker forces a user's browser to make connections without alerting the user. Use this directive if your application’s users make cross-origin requests as part of a Cross-Origin Resource Sharing (CORS) system.
Pegasystems recommends adding specific websites for cross-origin requests to the Allowed Websites list. Avoid using Allow-All.
The Font-Src directive controls the locations from which fonts can be loaded. An attacker can exploit a number of vulnerabilities that target the browser's font generation. Such an attack could compromise a user's browser.
Pegasystems recommends adding specific websites for cross-origin requests to the Allowed Websites list. Avoid using Allow-All.
The Form-Actions directive governs the URLs that can be used as an action of the HTML <form> element. An attacker who gains access to this directive could compromise a user’s data and submit potentially confidential information to the attacker's website.
Pegasystems recommends adding specific websites to the Allowed Form Actions list. Avoid using Allow-All.
The Frame-Ancestors directive restricts access from websites that can embed your application by using a <frame>, <iframe>, <object>, <embed>, or <applet> element. An attacker can embed your application in a malicious site, and log each keystroke and mouse click made by users who visit the site to use your application.
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
The Child-Src directive manages the content sources that your application can include in <frame> and <iframe> elements. An attacker can control the frame source and make it pull malicious data, including cross-site scripting attacks, into your application user's browser. Avoid using Allow-All.
The Img-Src directive controls the sources from which your application can load images. Attackers can use the HTML <img> tag to extract confidential information through a cross-site scripting attack, and make an image request to their own malicious site to request a non-existent image and append the page content. The attacker can then view the malicious site's logs to read your page's content.
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
The Media-Src directive manages sources from which your application can download media such as videos and audio files. An attacker can compromise a page to load a malicious object that can compromise a user's computer.
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
The Object-Src directive manages sources from which your application can download objects using the <object>, <embed>, and <applet> elements. Such objects include Flash files, Java applets, scripts in other languages, and generic text documents. Flash files and Java applets can run any kind of code; if an attacker can compromise a page to load a malicious object, the user's computer could be compromised.
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
The Plugin-Types directive contains a list of allowed resource types that can be retrieved and used to instantiate plug-ins. This directive in conjunction with other directives, particularly the Object-Src directive, can ensure that all the content that is loaded by the plug-in is the correct content. An attacker is able to upload malicious content, such as a Java applet, to a source that is defined in Object-Src.
Pegasystems recommends that you add allowed plug-in types to the list, as described above, or leave the list blank and use other directives carefully to ensure that the user's computer is not compromised.
The Sandbox directive specifies an HTML sandbox policy that the user applies to the protected resource. These policy settings are closely aligned with the World Wide Web Consortium (W3C) specification. If these settings are too permissive, an attacker can load a malicious site through a frame.
Pegasystems recommends that you select all of the following options. This is the most permissive setting which may be required for your application to work properly. For a more restrictive policy, clear the attributes that you want to block.
The Script-Src directive restricts the scripts that the protected resource can run, protecting users against script injection attacks (for example, XSS).
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
See the W3C documentation for specifying ‘unsafe-inline’ and ‘unsafe-eval’.
The Style-Src directive governs the sources of styles (stylesheets) that can be used. Attackers can use the <style> tag to describe CSS stylesheet content or external sources of stylesheets. A stylesheet loaded from a malicious site might make your application unusable by overriding content with images, odd colors, decreasing opacity, or by entirely removing your content.
Pegasystems recommends adding specific websites to the Allowed Websites list. Avoid using Allow-All.
See the W3C documentation for specifying ‘unsafe-inline’ and ‘unsafe-eval’.
The following task is supported on this tab: