Security profiles
Security profile is the main component in Smart Web Security. The profile consists of rules, each including conditions for applying certain actions to HTTP requests received via the virtual host of the Yandex Application Load Balancer L7 load balancer by the resource being protected.
You can create a profile:
- From a preset template. A preset profile includes:
- Basic default rule, enabled for all traffic.
- Smart Protection rule enabled for all traffic with the Full protection action type.
- From scratch. This profile includes only the basic default rule enabled for all traffic.
To activate Smart Web Security, connect the security profile to the virtual host of the L7 load balancer from which the traffic is distributed to the resources being protected. When an Application Load Balancer Ingress controller manages the load balancer, connect the security profile using an Ingress resource annotation.
Analyzing request body
In the security profile, you can enable request body inspection to improve the web application's performance and security. Limiting the maximum request body size prevents excessive resource consumption and mitigates the effects of DoS/DDoS attacks, where attackers submit large requests in order to exhaust the server's resources.
When you configure a security profile, you can select an action for when the maximum request body size is exceeded:
Do not analyze body: Use it when a legitimate application frequently sends large requests.Block request: This is a universal and secure approach. Smart Web Security blocks any requests exceeding the 8 KB limit, reducing the risk of attacks. If a request is blocked, Smart Web Security returns a403error.
Diagram of profiles and rules
The diagram below illustrates the relationship between Smart Web Security profiles and rules. Security profile is the main Smart Web Security component you can use to set up basic rules and Smart Protection. You can additionally connect a WAF profile (through a WAF rule), an ARL profile, and SmartCaptcha.