> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Website Protection Policy

> Configure how Osto inspects inbound web traffic to your registered domains — global and per-domain policies.

Website Protection policies govern how Osto inspects inbound web traffic to your registered domains. They split into **Global Policies** (apply across all your domains) and **Local Policies** (per-domain overlays).

> **Path:** Policies → Domains

***

## Global Policies

These apply account-wide. Each one is a single page with a master on/off toggle and a list of pre-defined attack/bot rules.

### DDoS

> **Sub-path:** Policies → Domains → DDoS

Volumetric and protocol-level denial-of-service mitigation.

**Page:** Master `DDoS Protection` toggle (default on) above a read-only table of 10 attack types:

| Column          | Values                                                                                                                                                                                                                                                             |
| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **Attack Type** | Floating Point DoS Attack · Generic DoS Attack · Other · Range: Invalid Last Byte Value · Range: Too many fields · Slowloris Attack · WordPress DoS Attack · WordPress Pingback zombie Attack · WordPress trackback resource exhaustion attack · XMLRPC DoS Attack |
| **Severity**    | *low*, *medium*, *high* — assigned per attack type                                                                                                                                                                                                                 |

Severities are pre-defined and not editable. The configurable surface is the global toggle.

### Bot

> **Sub-path:** Policies → Domains → Bot

Bot detection and mitigation across a large catalog of known automated agents and patterns.

**Page:** Master `Bot Mitigation` toggle (default on) above a read-only, paginated table of **54 bot rules**, each with a *low* / *medium* / *high* severity. Examples: *Block Bad bot [www.80legs.com](http://www.80legs.com)*, *Block Badbot User-Agent*, *Block Blackseo bot*, *Block CryptoPHP*, *Block DRM bot*, *Block DataCha0s bot*, *Block Datanyze bot* (medium), *Block Fake zoominfo search bot*, *Block ICS bot*, and more.

As with DDoS, severities are pre-defined and the global toggle is the configurable surface.

***

## Local Policies

These apply per-domain. The first three are configuration pages; the last (API Discovery) is observational.

### Advanced

> **Sub-path:** Policies → Domains → Advanced

The richest WAF policy in Osto — covers the OWASP-class protections (URL injection, parameter tampering, sensitive-data leakage) along with cookie security and rate limiting.

**Page columns** (per registered domain): Website Name, FQDN, Data Theft, Cloaking, Parameter (Protection), URL Protection, Cookie Security, Actions (with **Edit** pencil).

**Edit Policy dialog** (per domain) — seven feature toggles, each with its own deeper-config pencil:

| Feature                   | Default | What it covers                                                                                             |
| ------------------------- | ------- | ---------------------------------------------------------------------------------------------------------- |
| **Request Limit**         | On      | Caps request size and shape (headers, body bytes, parameter counts).                                       |
| **Cookie Security**       | Off     | Cookie signing / tamper detection.                                                                         |
| **Url Protection**        | On      | URL-pattern validation — covers OWASP path-injection and traversal classes.                                |
| **Parameter Protection**  | Off     | Query/body parameter validation — covers OWASP injection (SQL, XSS, command injection) classes.            |
| **Cloaking**              | Off     | Hides origin server fingerprints in responses.                                                             |
| **Data Theft Protection** | Off     | Inspects responses for sensitive data leakage (PII, credentials) — covers OWASP *Sensitive Data Exposure*. |
| **Rate Limit**            | Off     | Per-client request-rate ceiling for the domain.                                                            |

<Note>
  **OWASP Top 10 coverage lives here.** Url Protection + Parameter Protection + Data Theft Protection together cover the OWASP injection, broken-access-control, and sensitive-data-exposure classes. There is no separate "OWASP" page in the dashboard.
</Note>

### Custom Routing Rules

> **Sub-path:** Policies → Domains → Custom Routing Rules

Per-domain rules to direct matching traffic to specific origin endpoints.

**Page columns:** Website / rule, Route Matching, Prefix Match, Exact Match, Regex Match, Actions.

Each registered domain appears as an expandable group with:

* A built-in **Default Rule** at path prefix `/` (cannot be deleted) that catches everything not matched by a more specific rule.
* An **+ Add routing rule** button on the group row to append new rules.

Match types available per rule:

* **Prefix Match** — match URL path beginning with a specified prefix.
* **Exact Match** — match a specific URL path exactly.
* **Regex Match** — match against a regular expression.

### Policy Exceptions

> **Sub-path:** Policies → Domains → Policy Exceptions

Named carve-outs that let specific traffic bypass otherwise-applicable protections. Use sparingly — only when a known-legitimate request shape is being incorrectly flagged.

**Page columns:** Name, Hostname, Action, Parameter Location, Parameter Name, Parameter Value, Actions.

**New policy exception dialog:**

* **Rule name** — placeholder *"e.g. allow-admin-api"*.
* **Website** — dropdown selecting which registered website this exception applies to.
* **WHEN TRAFFIC MATCHES** — match conditions:
  * **Then** — dropdown choosing the action to apply when matched (allow/skip-check/etc.).
  * **Match** — dropdown choosing the match type.
  * **Match values → URL path** — the specific URL path that triggers this exception.

### API Discovery

> **Sub-path:** Policies → Domains → API Discovery

Observation page (browser title: *API Inventory*) showing every API endpoint Osto has automatically discovered under your protected domains by inspecting live traffic. There is no configuration on this page — only a `Refresh` button to re-pull the latest inventory.

**Page columns:** Host, Method, URI, Hits, Last Seen, Response Content (type/length summaries).

Use this view to spot shadow APIs, unintended exposures, or endpoints that should be hidden behind authentication.

***

## A typical configuration order for a new domain

1. Confirm **DDoS** and **Bot** are toggled on (account-wide, you usually only do this once).
2. Open **Advanced**, click **Edit** on the row for the new domain, and enable the relevant feature toggles. Start with *Url Protection* and *Parameter Protection* on; add *Data Theft Protection*, *Cookie Security*, and *Rate Limit* as needed for the workload.
3. If different paths on the domain need different origins, configure **Custom Routing Rules**.
4. Watch **API Discovery** for a few days to see what endpoints get discovered.
5. Add **Policy Exceptions** only when a real positive is being incorrectly blocked.
6. Pair the protection with the per-domain **Firewall Mode** toggle on **Manage Domains** — start in *Detect Mode* to observe what would be blocked, then flip to *Prevent Mode*.

## Related

* [What is Web Application Protection](/overview/what-is-web-app-protection) — the underlying protection model and request flow.
* [Managing Websites & Subdomains](/how-to-guides/asset-management/managing-websites) — register the domains these policies target. Includes the Firewall Mode toggle.
