I am posting on behalf of my client who has the following two issues/concerns:
#1: Pega Mash-up is rendered in the client / OLB through iFrame by design. We have been told by external application owners that Iframe is not a standard that and they are blocking today with security risks.
Are there alternate solutions for Pega Mash-up here? They do not want to go with Service based approach as we it has duplicate effort.
#2: iframe / HTML when rendered on the clients browser, it has the URL of the Pega application / Gateway. We got from the team that anyone can take out these URL's and access in another TAB or even creating their own application where they can break the security and can capture critical details. How does pega handles so we not impacted by clickjacking?
It is not easily possible to block iframes in browsers. The security is something that the web page author implements.
2. Multiple concerns have been raised here -
a. One can get the url of pega server irrespective of iframes or not. The browser makes these requests after all.
It is the responsibilty of the sysadmin of the pega app to lockdown access. This is true whether you use webmashup or not. For eg. a frequent mistake that developers do is not changing the default password for admin login.
b. To prevent clickjacking, you have ability to configure CSP directives like X-Frame-Options and frame-ancestors .