Enabling and configuring Cross-Site Request Forgery settings

Configure cross-site request forgery settings (CSRF) to prevent users from unintentionally making changes because of a CSRF attack. You can set validation for activities and streams, add host names to a whitelist, and specify host names that you want checked for a CSRF token.

  1. In the header of Dev Studio, click Configure > System > Settings > Cross-Site Request Forgery.
  2. Optional: To prevent the browser from submitting the PegaRULES cookie in a request from a non-originating site, do the following steps:
    1. Select the Enable samesite cookie attribute checkbox.
    2. In the Samsite Options list, click Lax or Strict.
    For more information about samesite cookies, refer to the documentation from owasp.org.
  3. To enable CSRF settings, select Enable CSRF token check.
    Selecting this check box causes all Pega URLs to include a CSRF token. All HTTP requests must pass the CSRF token as part of the URL.
  4. If you have enabled CSRF token check, select one of the following Secure fields:
    All activities & streams
    CSRF validation checks all activities and streams for CSRF tokens in your system. If you select this option, you can specify certain streams and activities to be excluded from CSRF token validation by entering them in the Allowed Activities field and the Allowed Streams field. Separate multiple activities and streams with commas.
    Specific activities & streams
    CSRF validation checks the activities and streams that you specify in the Secured Activites and Secured Streams fields for CSRF tokens. Separate multiple activities and streams with commas.
  5. Optional: To add names to a safe "white list" of host names to ignore during CSRF token validation, perform the following actions.
    1. In the Referrer Settings section, select Enable referrer check.
    2. In the Allowed referrers field, enter host names that you want to be checked for a CSRF token. Separate multiple host names with commas.
  6. Click Submit.
  7. If you changed the value of Enable CSRF token check, you must restart your system for the new value to take effect.