Question

2
Replies
240
Views
robs1550 Member since 2017 1 post
Delta Dental Insurance Company
Posted: January 13, 2020
Last activity: January 14, 2020

Pega Websocket Security Configuration

Hi Pega Community!

I have done some searching without much luck on this topic: How to secure the websocket traffic that is being used by OOTB PRPushServlet (Platform v8.2.2) - this websocket connection is used in conjunction with the Notification Channels.

A security scan of our application with 3rd party tools alerted us to a Cross Site Websocket Hijacking vector.

It seems the most basic Websocket security steps are not taken by the platform by default (Like white-listing the origin(s) of websocket connection request coming into the server). This can be simply tested here: http://websocket.org/echo.html - URL = ws(s)://<host>:<port>/<root>/PRPushServlet - it connects with no problem.

Is it possible to implement this origin check and any further Websocket security considerations?

Thanks!

***Moderator Edit-Vidyaranjan: Updated SR details***

Security System Administration SR Created
Share this page LinkedIn