Skip to main content
Verify the version tags to ensure you are consuming the intended content or, complete the latest version.

Content security policies

Content security policies

Every application includes a risk of tampering and unwanted intruders. When an application is developed traditionally using SQL or another language, vulnerabilities inherent to the language are included, leaving the systems open to attack. Tampering can occur in many ways, and are often difficult to detect and predict. URL tampering or cross-site scripting can easily redirect users to malicious sites, so taking the proper steps to protect your application is essential.

Developing applications using best practices ensures that rules are written properly, and secures the application against threats. To maximize the integrity and reliability of applications security, features must be implemented at multiple levels.

Each technique to strengthen the security of an application has a cost. Most techniques have one-time implementation costs, but some might have ongoing costs for processing or user inconvenience. You determine the actions that are most applicable and beneficial to your application.

When initially installed, Pega Platform is intentionally configured with limited security. This is appropriate for experimentation, learning, and application development.

Content security policies (CSP) are used as a layer of security that protects your browser from loading and running content from untrusted sources. The policies help detect and mitigate certain types of attacks on your application through a browser, including Cross Site Scripting (XSS) and data injection attacks.

When a browser loads a page, it is instructed to include assets such as style sheets, fonts, and JavaScript files. The browser has no way of distinguishing script that is part of your application and script that has been maliciously injected by a third party. As a result, the malicious content could be loaded into your application. CSPs help protect your application from such attacks.

Note: If an attack takes place, the browser reports to your application that a violation has occurred.

CSPs are a set of directives that define approved sources of content that the user's browser may load. The directives are sent to the client in the Content-Security-Policy HTTP response header. Each browser type and version obey as much of the policy as possible. If a browser does not understand a directive, then that directive is ignored. In other situations, the policy is explicitly followed. Each directive governs a specific resource type that affects what is displayed in a browser. Special URL schemes that refer to specific pieces of unique content—such as data:, blob:, and filesystem:—are excluded from matching a policy of any URL and must be explicitly listed.

CSPs are instances of the Rule-Access-CSP class in the Security category.

To access the content security policies in an application, you can:

  • Specify the content security policy on the Integration & Security tab of the application rule form
  • Use the Application Explorer to list the content security policies in your application
  • Use the Records Explorer to list all the content security policies that are available to you

For details on how to set content security policies, see the help topic Policy definition tab on the content security policies form.

If you are having problems with your training, please review the Pega Academy Support FAQs.

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Academy has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice