Posted: 11 Jun 2020 10:54 EDT Last activity: 24 Jul 2020 13:13 EDT
Application's Content Security Policy
What is the impact on the Out of the Box functionalities of using "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4"?
***Edited by Moderator Marissa to update Support Case Details***
During one of the Security Scans of our application, we got the following comment from the system:
"Insufficient Content Security Policy – While the application implements a Content Security Policy (CSP), this policy is exceptionally lax and provides little to no protection. If the application is opened in modern browsers, including Edge, the policy also allows the application to be loaded into an IFRAME overruling other security headers."
You should be able to make use of "pxDefaultSecured" Policy combining with "Reject & Report" Mode in Pega Platform 7.4 and "Customer Service for Financial Services 7.4". Testing needs to be completed to validate your application isn't impacted by the policy configuration. As every application can be different, if adjustments need to be made, then you can SaveAs from the default policy to your own policy.
Regarding your finding above, I have asked the engineer under the related case to open a product SR to review the details from your scan.
The IFraming issues are not directly relates to CSRF configuration.
The Frame-Ancestors directive in your CSP (Content Security Policy) probably needs a stricter policy. Configure your own policy based on the pxDefaultSecured and update that directive as suggested by Brad.