Question

5
Replies
210
Views
Close popover
Samik Mallik (SamikMallik)
Scotiabank
Senior Software Engineer
Scotiabank
CA
View Profile Send Message
SamikMallik Member since 2007 3 posts
Scotiabank
Posted: June 11, 2020
Last activity: July 24, 2020

Application's Content Security Policy

What is the impact on the Out of the Box functionalities of using "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4"?

 

 

***Edited by Moderator Marissa to update Support Case Details***

Pega Platform 7.4 Pega Customer Service for Financial Services 7.4 Security Financial Services Support Case Exists Support Case Created
Close popover
Posted: 9 months ago
Close popover
Samik Mallik (SamikMallik)
Scotiabank
Senior Software Engineer
Scotiabank
CA
View Profile Send Message

To elaborate the above question a little:

During one of the Security Scans of our application, we got the following comment from the system:

"Insufficient Content Security Policy – While the application implements a Content Security Policy (CSP), this policy is exceptionally lax and provides little to no protection. If the application is opened in modern browsers, including Edge, the policy also allows the application to be loaded into an IFRAME overruling other security headers."

Any help in this regard is appreciated.

Posted: 9 months ago
Close popover
Brad Tainter (Br@dTainter_GCS)
PEGA
Client Solutions Fellow
Pegasystems Inc.
US
View Profile Send Message

Hi Samik,

Pega provides the capability to add Content Security Policies as described in the following URL:  https://community.pega.com/sites/default/files/help_v74/procomhelpmain.htm#rule-/rule-access-/rule-access-csp/main.htm

You should be able to make use of "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4".  Testing needs to be completed to validate your application isn't impacted by the policy configuration.  As every application can be different, if adjustments need to be made, then you can SaveAs from the default policy to your own policy.

Regarding your finding above, I have asked the engineer under the related case to open a product SR to review the details from your scan.  

Posted: 9 months ago
Updated: 9 months ago
Close popover
John Paul Raja Christu Raja (JohnPaulRaja,C)
Perseus
Consultant
Perseus
US
View Profile Send Message

Can you check your application is enabled with Cross-Site Request Forgery (CSRF) settings, if it is enabled it will prevent your application from IFRAME loading in third party application.

Reference link

https://community.pega.com/knowledgebase/articles/security/configuring-csrf-protection

After the DSS add or change, restart the server and do the security scan.

CSRF example 

<!DOCTYPE html>
<html>
<body>

<h1>The iframe element</h1>

<iframe src="https://www.w3schools.com" title="W3Schools Free Online Web Tutorials">
</iframe>

</body>
</html>

If you run this code from local or any server, W3schools won't allow to show the website in Iframe. Our pega app also should work this way.

 

 

 

Posted: 8 months ago
Close popover
Eric Rietveld (Eric Rietveld)
PEGA
Principal System Architect
Pegasystems Inc.
NL
View Profile Send Message

Hi Samik and John,

The IFraming issues are not directly relates to CSRF configuration.

The Frame-Ancestors directive in your CSP (Content Security Policy) probably needs a stricter policy. Configure your own policy based on the pxDefaultSecured and update that directive as suggested by Brad.

Also, to protect the login screen, set the DSS prconfig/initialization/PromoteEmbeddedPortals/default to true. As described in https://community.pega.com/knowledgebase/articles/security/dynamic-system-settings-application-security

Please also consider upgrading to the most recent Pega version to get various security enhancements.

Eric
Share this page Share via LinkedIn Copying...
Copied!