As a best practice, configure the application server in your test environment to mirror a production environment configuration.
Use the following guidelines to minimize security vulnerabilities that can happen on the server side in your application:
- Prevent the application server from serving files to unauthorized users.
- Disable application server directory traversals. For example, eliminate the ability to insert “../” or “..\” into directory paths.
- Disable directory listings on the application server.
- Verify that no extraneous ports are open on the application server or on the firewall that protects the application server.
- Disable HTTP methods that your application does not use, including HEAD, TRACE, and TRACK. By default, Pega Platform uses POST and GET.
- Remove the web server banner from the Server field in the HTTP response header so that you do not share the type and version of your application server with users.
- Disable sample applications, their supporting files, and permissions when they are no longer used. This action prevents users who know the sample application credentials from logging in to your system.