Question


Hawaii Medical Service Association
US
Last activity: 26 Jun 2017 9:17 EDT
How do we resolve, "This application's Content Security Policy on the Integration tab has been left blank. It is recommended to use a default policy or create your own prior to migrating to a production environment."?
This is information warning in application rule.


Pegasystems Inc.
US
I am assuming that the application in question is going to be used in production. If so, I would encourage you to develop a customized content security policy rather than using pxDefaultAllowAll to make the warning go away. A content security policy will help to reduce your exposure to a variety of security threats by limiting the content in your application to only the sources that you white list.


Hawaii Medical Service Association
US
hi Matthew,
is there any more details about the content security policy that i can refer ?


Pegasystems Inc.
US
Gyan,
Probably the best first stop on learning about content security policy is the wikipedia article (https://pdn.pega.com/sites/pdn.pega.com/files/help_v72/procomhelpmain.htm#rule-/rule-access-/rule-access-csp/definition.…).
Matt


Hawaii Medical Service Association
US
Thanks Matthew


StratosphereTC
US
Hi Matt,
Ours is a 7.1.5 application. Can you tell us how we can create a Content Security Policy in Pega 7.1.5?
Many thanks in advance!
Geeta


Pegasystems Inc.
US
Hi Geeta,
Content Security Policy was not introduced in Pega until 7.1.6. I would suggest that you look at this reference for adding a policy via your load balancer or web server: https://content-security-policy.com/


StratosphereTC
US
Thank you very much for your reply, @BradTainter_GCS! We will look at the link you suggested. Thanks again! :)
Geeta


Telstra
AU
Assuming most of the Pega Apps are in internal network, it'd be nice to know which OOTB Content Security Policy rule we can use so that we don't have to customize.


Pegasystems Inc.
US
Hi Abhijith,
Pega 7 comes with 2 Content Security Policies out of the box: pxDefaultAllowAll and pxDefaultSecured. You can open up those rules and review the policies in place for each. On the application rule you can defined to reject and report or report only. You may consider setting the policy to report only for each to see what the headers that get specified are on the response. Then you can review and determine which on to put in place. https://pdn.pega.com/sites/pdn.pega.com/files/help_v722/procomhelpmain.htm#rule-/rule-access-/rule-access-csp/definition.htm
Did you try setting Policy name and mode on Integration & Security tab on Application rule form? Following is the screenshot from 7.1.7
Murali...