Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.osto.one/llms.txt

Use this file to discover all available pages before exploring further.

Website Protection policies govern how Osto inspects inbound web traffic to your registered domains. They split into Global Policies (apply across all your domains) and Local Policies (per-domain overlays).
Path: Policies → Domains

Global Policies

These apply account-wide. Each one is a single page with a master on/off toggle and a list of pre-defined attack/bot rules.

DDoS

Sub-path: Policies → Domains → DDoS
Volumetric and protocol-level denial-of-service mitigation. Page: Master DDoS Protection toggle (default on) above a read-only table of 10 attack types:
ColumnValues
Attack TypeFloating Point DoS Attack · Generic DoS Attack · Other · Range: Invalid Last Byte Value · Range: Too many fields · Slowloris Attack · WordPress DoS Attack · WordPress Pingback zombie Attack · WordPress trackback resource exhaustion attack · XMLRPC DoS Attack
Severitylow, medium, high — assigned per attack type
Severities are pre-defined and not editable. The configurable surface is the global toggle.

Bot

Sub-path: Policies → Domains → Bot
Bot detection and mitigation across a large catalog of known automated agents and patterns. Page: Master Bot Mitigation toggle (default on) above a read-only, paginated table of 54 bot rules, each with a low / medium / high severity. Examples: Block Bad bot www.80legs.com, Block Badbot User-Agent, Block Blackseo bot, Block CryptoPHP, Block DRM bot, Block DataCha0s bot, Block Datanyze bot (medium), Block Fake zoominfo search bot, Block ICS bot, and more. As with DDoS, severities are pre-defined and the global toggle is the configurable surface.

Local Policies

These apply per-domain. The first three are configuration pages; the last (API Discovery) is observational.

Advanced

Sub-path: Policies → Domains → Advanced
The richest WAF policy in Osto — covers the OWASP-class protections (URL injection, parameter tampering, sensitive-data leakage) along with cookie security and rate limiting. Page columns (per registered domain): Website Name, FQDN, Data Theft, Cloaking, Parameter (Protection), URL Protection, Cookie Security, Actions (with Edit pencil). Edit Policy dialog (per domain) — seven feature toggles, each with its own deeper-config pencil:
FeatureDefaultWhat it covers
Request LimitOnCaps request size and shape (headers, body bytes, parameter counts).
Cookie SecurityOffCookie signing / tamper detection.
Url ProtectionOnURL-pattern validation — covers OWASP path-injection and traversal classes.
Parameter ProtectionOffQuery/body parameter validation — covers OWASP injection (SQL, XSS, command injection) classes.
CloakingOffHides origin server fingerprints in responses.
Data Theft ProtectionOffInspects responses for sensitive data leakage (PII, credentials) — covers OWASP Sensitive Data Exposure.
Rate LimitOffPer-client request-rate ceiling for the domain.
OWASP Top 10 coverage lives here. Url Protection + Parameter Protection + Data Theft Protection together cover the OWASP injection, broken-access-control, and sensitive-data-exposure classes. There is no separate “OWASP” page in the dashboard.

Custom Routing Rules

Sub-path: Policies → Domains → Custom Routing Rules
Per-domain rules to direct matching traffic to specific origin endpoints. Page columns: Website / rule, Route Matching, Prefix Match, Exact Match, Regex Match, Actions. Each registered domain appears as an expandable group with:
  • A built-in Default Rule at path prefix / (cannot be deleted) that catches everything not matched by a more specific rule.
  • An + Add routing rule button on the group row to append new rules.
Match types available per rule:
  • Prefix Match — match URL path beginning with a specified prefix.
  • Exact Match — match a specific URL path exactly.
  • Regex Match — match against a regular expression.

Policy Exceptions

Sub-path: Policies → Domains → Policy Exceptions
Named carve-outs that let specific traffic bypass otherwise-applicable protections. Use sparingly — only when a known-legitimate request shape is being incorrectly flagged. Page columns: Name, Hostname, Action, Parameter Location, Parameter Name, Parameter Value, Actions. New policy exception dialog:
  • Rule name — placeholder “e.g. allow-admin-api”.
  • Website — dropdown selecting which registered website this exception applies to.
  • WHEN TRAFFIC MATCHES — match conditions:
    • Then — dropdown choosing the action to apply when matched (allow/skip-check/etc.).
    • Match — dropdown choosing the match type.
    • Match values → URL path — the specific URL path that triggers this exception.

API Discovery

Sub-path: Policies → Domains → API Discovery
Observation page (browser title: API Inventory) showing every API endpoint Osto has automatically discovered under your protected domains by inspecting live traffic. There is no configuration on this page — only a Refresh button to re-pull the latest inventory. Page columns: Host, Method, URI, Hits, Last Seen, Response Content (type/length summaries). Use this view to spot shadow APIs, unintended exposures, or endpoints that should be hidden behind authentication.

A typical configuration order for a new domain

  1. Confirm DDoS and Bot are toggled on (account-wide, you usually only do this once).
  2. Open Advanced, click Edit on the row for the new domain, and enable the relevant feature toggles. Start with Url Protection and Parameter Protection on; add Data Theft Protection, Cookie Security, and Rate Limit as needed for the workload.
  3. If different paths on the domain need different origins, configure Custom Routing Rules.
  4. Watch API Discovery for a few days to see what endpoints get discovered.
  5. Add Policy Exceptions only when a real positive is being incorrectly blocked.
  6. Pair the protection with the per-domain Firewall Mode toggle on Manage Domains — start in Detect Mode to observe what would be blocked, then flip to Prevent Mode.