Common Security vulnerabilities for Pega will be found during Security scan:
For any application Security scanning will takes place. And most of the security warnings will have below two error messages which are usually considered as low:
1)Error Message:
Session Cookie Does Not Contain the "Secure" Attribute
In session cookies "secure" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
prconfig/HTTP/SetSecureCookie/default
value = "true"
Owning ruleset - Pega-Engine
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
2)Error Message:
Cookie Does Not Contain The "HTTPOnly" Attribute
In session cookies "HTTPOnly" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
DSS: purpose - prconfig/cookie/HttpOnly/default(default can vary based on node classification)
Ruleset - Pega-Engine
Value - true
Restart the server after this DSS is set to take the changes affect
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
Note: Please let me know, similar to this if any common issues will be found, we can add it in the post, so that it will be help for all of us to know.
For any application Security scanning will takes place. And most of the security warnings will have below two error messages which are usually considered as low:
1)Error Message:
Session Cookie Does Not Contain the "Secure" Attribute
In session cookies "secure" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
prconfig/HTTP/SetSecureCookie/default
value = "true"
Owning ruleset - Pega-Engine
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
2)Error Message:
Cookie Does Not Contain The "HTTPOnly" Attribute
In session cookies "HTTPOnly" word, is not there, then using normal javascript and http injection can be done to hack the session cookies, so its recommendable to add this attribute.
Resolution:
Perform the following local-change:
Add the below Dynamic System Settings(DSS) in Pega PRPC, so it will be applicable for all the servers/nodes which pega is connected.
DSS: purpose - prconfig/cookie/HttpOnly/default(default can vary based on node classification)
Ruleset - Pega-Engine
Value - true
Restart the server after this DSS is set to take the changes affect
Else if this need to be apply only to particular node, then in the config file we can mention it.
<env name="HTTP/SetSecureCookie" value="true" />
=======================
Note: Please let me know, similar to this if any common issues will be found, we can add it in the post, so that it will be help for all of us to know.