Question

2
Replies
172
Views
robs1550 Member since 2017 1 post
Delta Dental Insurance Company
Posted: 8 months ago
Last activity: 8 months ago

Pega Websocket Security Configuration

Hi Pega Community!

I have done some searching without much luck on this topic: How to secure the websocket traffic that is being used by OOTB PRPushServlet (Platform v8.2.2) - this websocket connection is used in conjunction with the Notification Channels.

A security scan of our application with 3rd party tools alerted us to a Cross Site Websocket Hijacking vector.

It seems the most basic Websocket security steps are not taken by the platform by default (Like white-listing the origin(s) of websocket connection request coming into the server). This can be simply tested here: http://websocket.org/echo.html - URL = ws(s)://<host>:<port>/<root>/PRPushServlet - it connects with no problem.

Is it possible to implement this origin check and any further Websocket security considerations?

Thanks!

***Moderator Edit-Vidyaranjan: Updated SR details***

Security System Administration SR Created
Share this page LinkedIn