Question

Pega Web Mashup security concerns

I am posting on behalf of my client who has the following two issues/concerns:

 

  • #1: Pega Mash-up is rendered in the client / OLB through iFrame by design. We have been told by external application owners that Iframe is not a standard that and they are blocking today with security risks.

    • Are there alternate solutions for Pega Mash-up here? They do not want to go with Service based approach as we it has duplicate effort.

  • #2: iframe / HTML when rendered on the clients browser, it has the URL of the Pega application / Gateway. We got from the team that anyone can take out these URL's and access in another TAB or even creating their own application where they can break the security and can capture critical details. How does pega handles so we not impacted by clickjacking?

 

**Moderation Team has archived post**

This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.

Correct Answer
December 23, 2016 - 12:24am

Hello,

Let me address your concerns -

1. Iframe is a standard still in the latest specs and have not been deprecated at all. Please refer  the latest living standard . 

https://html.spec.whatwg.org/#the-iframe-element

It is not easily possible to block iframes in browsers. The security is something that the web page author implements.

2. Multiple concerns have been raised here -

a. One can get the url of pega server irrespective of iframes or not. The browser makes these requests after all.

It is the responsibilty of the sysadmin of the pega app to lockdown access. This is true whether you use webmashup or not.  For eg. a frequent mistake that developers do is not changing the default password for admin login. 

b. To prevent clickjacking, you have ability to configure CSP directives like X-Frame-Options and frame-ancestors .

https://oxdef.info/csp-frame-ancestors/

All in all, HTML5 provides a lot of controls that can be leveraged to build a secure application. 

 

 

Comments

Keep up to date on this post and subscribe to comments

December 23, 2016 - 12:24am

Hello,

Let me address your concerns -

1. Iframe is a standard still in the latest specs and have not been deprecated at all. Please refer  the latest living standard . 

https://html.spec.whatwg.org/#the-iframe-element

It is not easily possible to block iframes in browsers. The security is something that the web page author implements.

2. Multiple concerns have been raised here -

a. One can get the url of pega server irrespective of iframes or not. The browser makes these requests after all.

It is the responsibilty of the sysadmin of the pega app to lockdown access. This is true whether you use webmashup or not.  For eg. a frequent mistake that developers do is not changing the default password for admin login. 

b. To prevent clickjacking, you have ability to configure CSP directives like X-Frame-Options and frame-ancestors .

https://oxdef.info/csp-frame-ancestors/

All in all, HTML5 provides a lot of controls that can be leveraged to build a secure application.