Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.osto.one/llms.txt

Use this file to discover all available pages before exploring further.

Policies reference the assets you’ve already registered (users, servers, domains) and determine what’s allowed, what’s blocked, and how.
Path: Policies in the sidebar
The Policies section is organized by the kind of asset being protected: 
Policies
├─ Endpoint Users       → policies that apply to your team's devices
│  ├─ Device Control
│  ├─ App Control
│  ├─ Domain Filtering
│  ├─ Data Leakage Prevention → App File Access
│  └─ Global Policy
├─ Domains              → policies that apply to inbound web traffic
│  ├─ Global Policies: DDoS, Bot
│  └─ Local Policies: Advanced, Custom Routing Rules, Policy Exceptions, API Discovery
└─ Server Access        → policies that govern who reaches which server

In this section

User Protection Policy

Endpoint policies — what users on managed devices can run, plug in, access on the web, or send out. Covers Device Control, App Control, Domain Filtering, App File Access (DLP), and the baseline Global Policy.

Secure Server Access Policy

Who can reach which server, when, and what services they can use. Rules-list page with Priority / Source / Destination / Service / Action columns. Default is deny-all (an implicit Drop the traffic rule at the bottom).

Website Protection Policy

How Osto inspects inbound traffic to your registered domains. Split into Global Policies that apply account-wide (DDoS, Bot Mitigation) and Local Policies that apply per-domain (Advanced WAF protections, Custom Routing Rules, Policy Exceptions, API Discovery).

Two UI patterns you’ll see

Osto’s policy UX comes in two distinct shapes across the dashboard:
  1. Configuration-on-target pages — most policies. You see a list of the assets the policy can apply to (users, groups, or domains), select one or more, and click Edit [Policy Type] + to configure the policy for that selection.
  2. Rules-list pagesServer Access and Policy Exceptions. You see an ordered list of explicit rules (Priority, Name, Source, Destination, Action). New rules are added with a top-level Add button. The first matching rule wins (with an implicit deny at the bottom for Server Access).

A note on OWASP coverage

Osto’s protection against the OWASP Top 10 (SQL injection, XSS, parameter tampering, sensitive data exposure, etc.) is built into the Advanced policy under Policies → Domains → Advanced — specifically the Url Protection, Parameter Protection, and Data Theft Protection toggles. There is no separate “OWASP” page; configure it through Advanced.