Security profiles
Security profile is the main Smart Web Security component. A security profile consists of a set of HTTP traffic processing rules. The rules contain filtering conditions and actions that apply to your web resource's incoming traffic. Security profiles also allow configuring a CAPTCHA and request limits based on various conditions.
Note
To enhance your security, we use HTTP request data to train our machine learning (ML) models. You can disable the use of this data in the management console when creating a security profile or later in its settings.
You can create security profiles in different ways:
- From a preset template. A preset profile includes:
- Basic default rule, enabled for all traffic.
- Smart Protection rule enabled for all traffic with the Full protection action type.
- From scratch. This profile includes only the basic default rule enabled for all traffic.
You configure the security profile according to your threat model, i.e., description of your service-specific potential risks, attack actors, and vulnerabilities. If you are setting up your protection without professional cybersecurity assistance, we recommend using the preconfigured profile template set up by Yandex Cloud experts. This will insure the basic level of protection and help reduce the probability of configuration errors.
Connect a security profile to your resource to enable Smart Web Security protection.
You can connect a security profile to various types of resources:
- Virtual host or ingress controller to protect resources that use Yandex Application Load Balancer.
- API Gateway API gateway to protect the APIs of your applications.
- Domain to protect your website or web application hosted in Yandex Cloud, your internal infrastructure, or other platforms.
Request body analysis
In the security profile, you can enable request body inspection to improve the web application's performance and security. Limiting the maximum request body size prevents excessive resource consumption and mitigates the effects of DoS/DDoS attacks, where attackers submit large requests in order to exhaust the server's resources.
When you configure a security profile, you can select an action for when the maximum request body size is exceeded:
Do not analyze body: Use it when a legitimate application frequently sends large requests.Block request: This is a universal and secure approach. Smart Web Security blocks any requests exceeding the 8 KB limit, reducing the risk of attacks. If a request is blocked, Smart Web Security returns a403error.
Profiles and rules diagram
The diagram below illustrates the relationship between Smart Web Security profiles and rules. Security profile is the main Smart Web Security component you can use to set up basic rules and Smart Protection. You can additionally connect a WAF profile (through a WAF rule), an ARL profile, and SmartCaptcha.