As part of a recent security advisory we were told that after either Pega 8.8.2 or Pega 8.9 to ensure that the When Rule pyBlockUnregisteredRequests should be set to always true in our applications.
This turns on protections that ensure unregistered User Interface components cannot make a Section or Harness Refresh request from the browser.
However, we know there are compatibility issues with some Pega applications such as Customer Services (CSFS in our case).
Does anyone know the scope of 8.8.2 or Infinity 23 and can tell us if the base platform and Pega applications will align so that we can enable the protection?
@RICHARDA2870 I just want to check what information you are after. Are you referring to the known workaround documented here?
Verifying requests at the application layer
As far as I can tell BUG-645041 is already resolved in 8.8
New feature introduced after upgrade, pyBlockUnregisteredRequests is enabled in development to detect and respond to any problems with unauthorized or unregistered requests, when an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden. Security alert SECU0019 appears on the security alert log.
See the following forum post: Pega Application deployment from 8.5.2 Version to 8.5.6/8.7v
Refer to following document to understand how it works and fix the configuration tab:
Are you asking whether Pega 8.8.1 will be compatible with PCSFS?
Does the existing documentation shed any light into the supported platform?
Pega Customer Service Release Notes
Get started with Pega Customer Service for Financial Services
I would be surprised if a Framework would fall out of support if you follow the recommended upgrade path as per
Pega Customer Service Installation and Update Information
Pega Platform version support for Pega-supplied applications