Pega Web Mashup security concerns
I am posting on behalf of my client who has the following two issues/concerns:
#1: Pega Mash-up is rendered in the client / OLB through iFrame by design. We have been told by external application owners that Iframe is not a standard that and they are blocking today with security risks.
Are there alternate solutions for Pega Mash-up here? They do not want to go with Service based approach as we it has duplicate effort.
#2: iframe / HTML when rendered on the clients browser, it has the URL of the Pega application / Gateway. We got from the team that anyone can take out these URL's and access in another TAB or even creating their own application where they can break the security and can capture critical details. How does pega handles so we not impacted by clickjacking?
**Moderation Team has archived post**
This post has been archived for educational purposes. Contents and links will no longer be updated. If you have the same/similar question, please write a new post.
Let me address your concerns -
1. Iframe is a standard still in the latest specs and have not been deprecated at all. Please refer the latest living standard .
It is not easily possible to block iframes in browsers. The security is something that the web page author implements.
2. Multiple concerns have been raised here -
a. One can get the url of pega server irrespective of iframes or not. The browser makes these requests after all.
It is the responsibilty of the sysadmin of the pega app to lockdown access. This is true whether you use webmashup or not. For eg. a frequent mistake that developers do is not changing the default password for admin login.
b. To prevent clickjacking, you have ability to configure CSP directives like X-Frame-Options and frame-ancestors .
All in all, HTML5 provides a lot of controls that can be leveraged to build a secure application.
Keep up to date on this post and subscribe to comments
- Security concerns wrt to using Pega 6 and not on Pega 7
- Pega WebMashup Security concerns
- How can we host an external application on Pega User Interface. As through Mashups we can embed a Pega application as gadgets on a web application to create a Pega Composite application.Does Mashups can be utilized in my requirement. Please suggest an ap
- How to embed entire pega case manager portal in third party web application using Pega web mashup
- Pega Mashup Security