Question

2
Replies
343
Views
Close popover
Robert Stephens (robs1550)
Delta Dental Insurance Company

Delta Dental Insurance Company
US
robs1550 Member since 2017 1 post
Delta Dental Insurance Company
Posted: January 13, 2020
Last activity: January 14, 2020
Closed

Pega Websocket Security Configuration

Hi Pega Community!

I have done some searching without much luck on this topic: How to secure the websocket traffic that is being used by OOTB PRPushServlet (Platform v8.2.2) - this websocket connection is used in conjunction with the Notification Channels.

A security scan of our application with 3rd party tools alerted us to a Cross Site Websocket Hijacking vector.

It seems the most basic Websocket security steps are not taken by the platform by default (Like white-listing the origin(s) of websocket connection request coming into the server). This can be simply tested here: http://websocket.org/echo.html - URL = ws(s)://<host>:<port>/<root>/PRPushServlet - it connects with no problem.

Is it possible to implement this origin check and any further Websocket security considerations?

Thanks!

***Moderator Edit-Vidyaranjan: Updated SR details***

Security System Administration Support Case Created
Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.