> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing Websites & Subdomains

> Add the websites and subdomains you want Osto to protect.

Once added and DNS-pointed, every request to them flows through Osto for inspection before reaching your origin.

> **Path:** Assets → Domains → Manage Domains

## The domain list

The Manage Domains page shows every domain you've registered with these columns:

| Column            | What it shows                                                                                                     |
| ----------------- | ----------------------------------------------------------------------------------------------------------------- |
| **FQDN**          | The full domain name (e.g. `api.example.com`).                                                                    |
| **Updated At**    | Timestamp of the last configuration change.                                                                       |
| **Website Name**  | Friendly name for the website (auto-derived from the FQDN by default).                                            |
| **Status**        | Current state — *draft*, *active*, etc. New domains start as *draft* until DNS is pointed and traffic is flowing. |
| **Firewall Mode** | Per-domain toggle: **Detect Mode** (observe and log only) or **Prevent Mode** (actively block).                   |
| **Actions**       | Edit (pencil) and **Delete Website** affordances.                                                                 |

The top-right **WAF Details** button surfaces protection summaries.

## Firewall Mode — Detect vs. Prevent

Each registered domain has a Firewall Mode toggle directly in the table. This controls how Osto handles malicious requests it identifies:

* **Detect Mode** — Osto inspects every request and logs anything suspicious, but **does not block**. Use this when onboarding a new domain so you can review what Osto would have blocked before going live.
* **Prevent Mode** — Osto inspects every request and **actively blocks** anything malicious. This is the production setting.

<Tip>
  **Recommended onboarding pattern:** start in **Detect Mode** for the first few days, watch Logs → Web App for false positives, then flip to **Prevent Mode** once you're confident the policies are correctly tuned.
</Tip>

## Adding a Website or Subdomain

The same flow handles root domains and subdomains alike. It's a two-step wizard.

### Step 1 — Domain, origin, TLS & CDN

<Steps>
  <Step title="Open the Add Website dialog">
    Go to **Assets → Domains → Manage Domains** and click **Add Website +**.
  </Step>

  <Step title="Enter and verify your domain">
    In the **Domain Name** field, enter the domain (e.g. `example.com` or `app.example.com`) and click **Verify**. On success you'll see *"Domain verified successfully"* with a green check.
  </Step>

  <Step title="Configure origin servers">
    The form expands with two **Server IP or LB Domain** fields. Suggested origin IPs appear as chips below each — click a chip to fill, or type your own. Use both fields for high availability; use only the first for a single-origin setup. For multiple IPs in one field, separate them with commas.
  </Step>

  <Step title="Set TLS version">
    Multi-select dropdown. Defaults to **TLS 1.2 + TLS 1.3** (shown as *"2 selected"*). TLS 1.1 is available but off by default.
  </Step>

  <Step title="Select CDN usage">
    Choose your CDN if your site sits behind one — Osto adjusts request-header handling so client IPs and other forwarded metadata are interpreted correctly. Options: Not Using CDN, AWS CloudFront, Google Cloud CDN, Azure CDN, Others.
  </Step>

  <Step title="Proceed to certificate setup">
    Click **Next** to move to certificate setup.
  </Step>
</Steps>

### Step 2 — Certificate Configuration

This is where Osto figures out which TLS certificate to present to clients hitting your domain. You have two paths:

#### Option A — Auto-generate (default, recommended)

Leave **Auto-generate certificate** checked. Osto provisions a free SSL certificate on your behalf using industry-standard ACME validation. To prove you own the domain, you add one CNAME record at your DNS provider:

| Field     | Value                                                                    |
| --------- | ------------------------------------------------------------------------ |
| **Type**  | CNAME                                                                    |
| **Name**  | `_acme-challenge.<your-domain>` (shown in the dialog with a copy button) |
| **Value** | the target shown in the dialog — use the copy button                     |
| **TTL**   | 60                                                                       |

After adding the record, wait a few minutes for DNS to propagate, then click **Verify CNAME Record**. Once verified, Osto issues the certificate and the domain moves out of *draft*.

#### Option B — Bring your own certificate

Uncheck **Auto-generate certificate**. Two sub-options appear:

* **Select Certificate** — dropdown listing every certificate you've already uploaded under [Manage Certificate](/how-to-guides/asset-management/managing-ssl-certificates). Pick the one whose Common Name covers your domain.
* **Certificate Archive (ZIP)** — drag-and-drop a `.zip` file containing the certificate and private key, or click to browse.

<Note>
  The ZIP must contain valid certificate files (`.crt`, `.pem`) and private key files (`.key`, `.pem`).
</Note>

Click **Next** to finish. The uploaded certificate also appears in Manage Certificate for future reuse.

### Step 3 — Point your DNS

Once the dialog closes, the domain appears in the list with status **draft**. The final step is at your DNS provider:

* Update the domain's **A record** to the Osto IP shown after Save.
* Set TTL to **600 seconds** for fast propagation.

Status flips from *draft* to *active* once Osto observes traffic flowing through.

## Editing a Website or Subdomain

Click the **edit (pencil)** icon on the row. The dialog opens directly to the Step 1 form with your existing values pre-loaded — you can update origin IPs, TLS versions, or CDN usage and click **Save**.

To change a domain's **Firewall Mode**, click the *Detect Mode* or *Prevent Mode* button directly in the row — no need to open the edit dialog.

## Deleting a Website or Subdomain

Click **Delete Website** on the row and confirm.

<Warning>
  A parent domain can't be deleted while it still has registered subdomains — delete the subdomains first. After deletion, traffic to that domain bypasses Osto until you also revert the DNS A record at your provider.
</Warning>

## What happens after a domain is active

1. Every request hits Osto first.
2. Attack Detection runs (TLS, protocol, headers).
3. Advanced checks (OWASP, DDoS, bot mitigation) inspect the request body and behavior. Whether they block or merely log depends on Firewall Mode.
4. Clean requests forward to your origin; malicious ones are blocked (in Prevent Mode) or recorded (in Detect Mode).
5. Findings stream into **Logs → Web App Logs** and into the **Compliance Engine** as evidence.

## Related

* [What is Web Application Protection](/overview/what-is-web-app-protection) — the detailed protection model.
* [Website Protection Policy](/how-to-guides/policy-configuration/website-protection-policy) — tune the protection behavior per domain.
* [Managing SSL Certificates](/how-to-guides/asset-management/managing-ssl-certificates) — upload, view, and remove certificates.
