After installing Pega as descibed, we notice some out of the box service packages are not secure enough in our opinion.
Looking at the service package DownloadWebJS for example, it is missing the "requires authentication flag". Is there a reason to leave the "requires authentication" unchecked?
On the 7.3.1 environment, there is no authentication required for certain Service Packages, which is not correct and not inline with our security policilies. So the Question is, how to set/manage the Authentication Required for Pega OOTB services packages such that it must not be overwritten when you install an new version of an Application?
Need clarification and guidance on how to manage/improve Pega OOTB service packages which are without any "requires authentication flag".
Some of the service packages genuinely don't require authentication in pega. WebSSO service package is one such example which provides REST service that is used to consume the SAML response coming from IDP. When the REST service is hit to get authenticated by Pega, it's in unauthenticated status.
DownloadWebJS is used to download PegaInternetApplicationComposer.js and PegaIntenetApplicationComposerLog.js from the IAC gateway console.
Not sure if this is intentionally kept to be accessed without authentication.
Thanks for responses! I wish if someone from Pegasystems validate requested concerns and share pega decision and approach on how to achieve security hardening. What would be the impact on inter pega service calls if we start applying extra security layer on top of Pega OOTB services with authentication requirements.