Skip to main content


Verify requests at the application layer

Suggest edit Updated on June 30, 2021

Pega Platform protects access to information in your application by using role-based settings and access control policies. Pega Platform provides additional request verification when you use autogenerated controls.

As a security best practice, and to conform to platform guardrails, use autogenerated controls. You can manually configure custom (non-autogenerated) controls for increased security.

Verifying requests when using custom controls describes how to manually configure non-autogenerated controls for increased security.

You can block unauthorized requests by using three when rules, which are defined on @baseclass. The following list describes the when rules that are used to enable the application protection feature.

Note: When pzSecureFeatures is false, no access checking is performed and the other two when rules are ignored.


When rule name:pzSecureFeatures

  • Description: Turns application level checking on or off
  • Default value:True when
    • the portal is not Dev Studio, App Studio, Admin Studio, or Prediction Studio.


    • the client is not mobile or hybrid.
    In other words, the access control check is not done when the client is using Dev Studio, App Studio, Admin Studio, or Prediction Studio and the client is mobile or hybrid. The check is done everywhere else.
  • Behavior when true: Application level checking is on. When an access violation is found, a security alert is logged that says "Unregistered request encountered"; default behavior.
  • Behavior when false: Application level checking is off.


When rule name:pyShowSecureFeatureWarnings

  • Description: Controls display of a warning to the end user
  • Default value:False
  • Behavior when true: When an access violation is found and pyBlockUnregisteredRequests is false, a Pega warning is displayed to the user saying "URL tampering vulnerability detected."
  • Behavior when false: The access control warning is not displayed to the user; default behavior.


When rule name:pyBlockUnregisteredRequests

  • Description: Controls the HTTP response
  • Default value:pxProcess.pzProductionLevel ≥ 4Note: The default value is False when the production level is < 4. When production level is changed to 4, the value changes to True.
  • Behavior when pxProcess.pzProductionLevel ≥ 4: When an access violation is found, the server responds with HTTP status 403, and the user sees a browser error saying the request is forbidden.
  • Behavior when pxProcess.pzProductionLevel < 4: The request is processed normally; default behavior.
Tip: As described above, the default behavior of pyBlockUnregisteredRequests is to process unregistered requests, without issuing an HTTP error. This default allows your application to behave as expected while you work on configuring your custom controls as described in Verifying requests when using custom controls. Once you have ensured that all of your custom controls have been configured, override pyBlockUnregisteredRequests so that it returns true and blocks unregistered requests.
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us