> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Policy Configuration

> Policies are how you tell Osto what to enforce — what's allowed, what's blocked, and how.

Policies reference the assets you've already registered (users, servers, domains) and determine what's allowed, what's blocked, and how.

> **Path:** Policies in the sidebar

The Policies section is organized by the kind of asset being protected:

```
Policies
├─ Endpoint Users       → policies that apply to your team's devices
│  ├─ Device Control
│  ├─ App Control
│  ├─ Domain Filtering
│  ├─ Data Leakage Prevention → App File Access
│  └─ Global Policy
├─ Domains              → policies that apply to inbound web traffic
│  ├─ Global Policies: DDoS, Bot
│  └─ Local Policies: Advanced, Custom Routing Rules, Policy Exceptions, API Discovery
└─ Server Access        → policies that govern who reaches which server
```

## In this section

### [User Protection Policy](/how-to-guides/policy-configuration/user-protection-policy)

Endpoint policies — what users on managed devices can run, plug in, access on the web, or send out. Covers **Device Control**, **App Control**, **Domain Filtering**, **App File Access** (DLP), and the baseline **Global Policy**.

### [Secure Server Access Policy](/how-to-guides/policy-configuration/secure-server-access-policy)

Who can reach which server, when, and what services they can use. Rules-list page with **Priority / Source / Destination / Service / Action** columns. Default is deny-all (an implicit *Drop the traffic* rule at the bottom).

### [Website Protection Policy](/how-to-guides/policy-configuration/website-protection-policy)

How Osto inspects inbound traffic to your registered domains. Split into **Global Policies** that apply account-wide (DDoS, Bot Mitigation) and **Local Policies** that apply per-domain (Advanced WAF protections, Custom Routing Rules, Policy Exceptions, API Discovery).

## Two UI patterns you'll see

Osto's policy UX comes in two distinct shapes across the dashboard:

1. **Configuration-on-target pages** — most policies. You see a list of the assets the policy can apply to (users, groups, or domains), select one or more, and click **Edit \[Policy Type] +** to configure the policy for that selection.
2. **Rules-list pages** — *Server Access* and *Policy Exceptions*. You see an ordered list of explicit rules (Priority, Name, Source, Destination, Action). New rules are added with a top-level Add button. The first matching rule wins (with an implicit deny at the bottom for Server Access).

## A note on OWASP coverage

Osto's protection against the OWASP Top 10 (SQL injection, XSS, parameter tampering, sensitive data exposure, etc.) is built into the **Advanced** policy under **Policies → Domains → Advanced** — specifically the *Url Protection*, *Parameter Protection*, and *Data Theft Protection* toggles. There is no separate "OWASP" page; configure it through Advanced.
