> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Best Practices

> Recommendations to optimize your security posture and manage the platform efficiently.

Follow these recommendations to get the most out of Osto and keep your security posture strong.

## Websites & SSL

* **Keep certificates valid:** Use unexpired SSL certificates and renew them ahead of time. Osto can auto-generate and renew certificates for you, or you can upload your own.
* **Use a low DNS TTL during changes:** Set your DNS record's TTL to 600 seconds or lower before making changes so updates propagate quickly with minimal downtime.
* **Start in Detect, then move to Prevent:** Run a new website in **Detect Mode** first to observe traffic without blocking, then switch to **Prevent Mode** once you're confident legitimate traffic isn't affected.
* **Tune the Advanced policy:** Review the protections in your Website Protection **Advanced** policy (URL Protection, Parameter Protection, Data Theft Protection, Cookie Security, and rate/request limits) so coverage matches your application.

## Endpoint user policies

* **Principle of least privilege:** Put users in groups and grant the minimum access each role needs.
* **Review regularly:** Periodically revisit Device Control, App Control, Domain Filtering, and DLP policies so they stay aligned with current needs.
* **Update as roles change:** Revise policies when roles change or new apps are introduced to avoid stale or overly permissive rules.

## Secure server access

* **Allow Osto connectivity:** Make sure server firewalls permit the connections Osto needs for seamless access.
* **Enable MFA:** Keep multi-factor authentication on for secure-server access.
* **Review session logs:** Check **Logs → Secure Server Logs** for unauthorized or anomalous access.

## Threat protection

* **Set realistic rate limits:** Configure strict-but-realistic rate limiting on sites and APIs to blunt brute-force and volumetric attacks.
* **Keep bot & DDoS mitigation on:** Leave Bot Mitigation and DDoS Protection enabled and review them as attack patterns evolve.
* **Watch for anomalies:** Use the dashboard and **Logs** to monitor unusual activity and act before it escalates.

## Scan and secure proactively

* **Scan before you ship:** Run the **Web Scanner** on your sites and the **App Scanner** on mobile builds, and connect a Git provider to **SAST** (Code Security) to catch vulnerabilities, dependency issues, and secrets early.
* **Connect your cloud:** Add your AWS, Azure, or GCP accounts under **Cloud Security** for continuous posture findings.
* **Stay audit-ready:** Use **Compliance → AutoComply** to generate policies, track controls, and assign security awareness training.

<Note>
  See the [How-to Guides](/how-to-guides/asset-management/index) for step-by-step walkthroughs of each area referenced above.
</Note>
