Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI Web API

TABLE OF CONTENTS

Other security settings

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMar 20, 2025
  • 2 minute read

You can establish the following additional security settings to prevent Cross Site Request Forgery (CSRF) attacks and improve the protection of web applications against clickjacking.

EnableCSRFDefense

Set the configuration item in PI System Explorer with a Value Type of Boolean. The default setting is true. When set to true, the Cross-Site Request Forgery defense is enabled in PI Web API, and PI Web API checks whether a custom HTTP request header X-Requested-With is present with a request, whose method is POST, PUT, PATCH or DELETE. This defense relies on the Same-Origin Policy restriction and CORS settings. Ensure that the CorsHeaders configuration setting allows the X-Requested-With header to be sent cross-domain.

XFrameOptions

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Set the configuration item in PI System Explorer with one of the following values:

Field

Description or value

Value Type

String

Value

  • DENY

    The page cannot be displayed in a frame, regardless of the site attempting to do so.

  • SAMEORIGIN

    The page can only be displayed in a frame on the same origin as the page itself.

  • ALLOW-FROM URI

    The page can only be displayed in a frame on the specified origin.

  • Empty string

    Protection is turned off.

DebugMode

Set the configuration item in PI System Explorer with a Value Type of Boolean. The default setting is false. When set to false, PI Web API only returns sanitized error messages. When set to true, PI Web API returns more detailed error messages, including request URLs, user input queries, and so on. In a production environment, the setting should be set to false to reduce vulnerability to cross-site scripting (XSS).

OmfIncludeInnerEvents Setting

When the PI Web API receives an OMF request, it responds with a series of events that occurred during processing. These events can include various types of information, such as errors, warnings, or informational messages. These events may be composed of inner child events that give greater context to the parent event.

Previously, these inner events would only be included in a PI Web API OMF response when the PI Web API had been configured to run in Debug Mode. This means inner events were not available in production environments.

The OmfIncludeInnerEvents configuration can be used to enable or disable inner events in production environments.

The default setting for this configuration is true. When set to true, inner events are returned. For backwards compatibility, returning inner events can be disabled by setting the configuration to false.

For additional information, see Configuration at runtime.

In This Topic
TitleResults for “How to create a CRG?”Also Available in