Security for Reactive-UI applications
If your application uses a Cosmos React-UI, it authenticates operators using one of the newer (PRAuth) types of Pega Platform™ authentication schemes. Cosmos React-UI does not support non-app-specific URLs for custom authentication, nor does it support any authentication schemes other than PRAuth.
For example, suppose that you select React-based UI (Early Beta – not for production use) on the application definition rule form. In that case, Pega Platform generates a routing table internally and registers the application as a standard OAuth 2.0 client by issuing authorized access tokens for interactions. Authorized access tokens (AAT) are now the default token format used in Pega Platform for OAuth 2.0.
AATs are self-contained, compact, and digitally signed to be tamperproof. Pega Platform manages AATs with autogenerated claims and a built-in key rotation strategy. Pega Platform uses JSON Web Tokens (JWT) and JSON Web Signature (JWS) standards for managing authorized access tokens. HTTPS is required if the application is marked to use Cosmos React-UI.
The auto-generated OAuth 2.0 client for an application is identified with the name PegaAPP_<ApplicationName>. Where <ApplicationName> is the name that is used to automatically generate OAuth 2.0 Client instance when an application is saved.
For more information, refer to community article on Securing Cosmos React-UI applications.
Vulnerability mitigation controls for reactive-UI applications
Built-in vulnerability mitigation controls include:
- Basic access controls to deny by default the unregistered inputs like activities or snap-start URLs.
- Cross-Site Request Forgery (CSRF) mitigation controls to block Pega Digital Experience (DX) API calls from other source domains.
- Enhanced client-side management with new cache-control headers to skip caching of Pega Digital Experience (DX) API URLs.
- Out-of-the-box data-level protection with property-level ABAC for Pega Digital Experience (DX) API.
Want to help us improve this content?