Posted: 13 Jan 2020 13:09 EST Last activity: 14 Jan 2020 2:55 EST
Pega Websocket Security Configuration
Hi Pega Community!
I have done some searching without much luck on this topic: How to secure the websocket traffic that is being used by OOTB PRPushServlet (Platform v8.2.2) - this websocket connection is used in conjunction with the Notification Channels.
A security scan of our application with 3rd party tools alerted us to a Cross Site Websocket Hijacking vector.
It seems the most basic Websocket security steps are not taken by the platform by default (Like white-listing the origin(s) of websocket connection request coming into the server). This can be simply tested here: http://websocket.org/echo.html - URL = ws(s)://<host>:<port>/<root>/PRPushServlet - it connects with no problem.
Is it possible to implement this origin check and any further Websocket security considerations?
***Moderator Edit-Vidyaranjan: Updated SR details***