Rules

Using rules, you can define conditions for selecting HTTP request, specify actions for requests that match these conditions, and prioritize rules.

The rule priority is set as a numeric parameter from 1 to 1000000.

You can also log information about the traffic matching your conditions, without applying any action to it.

Yandex Smart Web Security provides the following rule types:

• Basic
• Smart Protection
• Web Application Firewall
• Advanced Rate Limiter

You can learn more in Managing rules.

Basic rulesBasic rules

Basic rule is a rule that allows, denies, or directs traffic to Yandex SmartCaptcha based on specified conditions. It is used for simple traffic filtering based on specific parameters.

Each security profile includes a basic default rule with the lowest priority (1000000) that allows or denies all traffic.

Smart Protection rulesSmart Protection rules

Smart Protection is a rule that sends traffic, based on specified conditions, for automatic analysis using machine learning and behavioral analysis algorithms. Depending on the selected action, suspicious requests are sent to SmartCaptcha for additional verification or get blocked.

Web Application Firewall rulesWeb Application Firewall rules

Web Application Firewall rules engage a WAF profile to analyze traffic for compliance with the WAF basic rule sets. Depending on the selected action, suspicious requests are sent to SmartCaptcha for additional verification or get blocked.

You can use the following SmartCaptcha CAPTCHA options to verify requests compliant with the Smart Protection and Web Application Firewall rules:

• Default: Managed by Yandex Cloud. This CAPTCHA has the following settings:

  • Main challenge: Checkbox.
  • Additional challenge: Silhouettes.
  • Additional challenge difficulty: Easy.
  • Appearance: Standard.

  The Default CAPTCHA usage fee is included in the cost of Smart Web Security.

• Custom CAPTCHA: You can customize CAPTCHA's difficulty, types of main and additional challenges, and appearance.

  Note

  To use a custom CAPTCHA, select Disable domain verification in its settings.

  The custom CAPTCHA usage fee is charged according to the SmartCaptcha pricing policy.

Advanced Rate Limiter rulesAdvanced Rate Limiter rules

An Advanced Rate Limiter rule calculates the number of requests received over a certain period of time. Requests are counted after they are allowed by the Smart Protection and Web Application Firewall rules, meaning that ARL rules have their own priority independent of other rules.

ARL rules allow you to set limits on either all traffic or its particular segments.

Unlike Smart Protection and WAF rules, ARL rules are configured in an ARL profile.

Rule actionsRule actions

Actions for basic rules:

• Deny traffic whose parameters match the conditions.
• Allow traffic whose parameters match the conditions.

Actions for Smart Protection and Web Application Firewall rules:

• Full Protection: Traffic is checked by ML models and behavioral analysis algorithms. Redirect suspicious requests to SmartCaptcha.

  Warning

  To ensure your application works correctly, apply API protection to HTTP requests with dynamic content loading.

• Use API protection for endpoints that:

  • Belong to mobile apps.
  • Receive automated calls.
  • Process requests with dynamic content loading, such as ajax, xhr, iframe, etc.

  Traffic is checked by ML models and behavioral analysis algorithms. Requests are not sent to SmartCaptcha, which allows making legitimate API calls to the protected resources. Special DDoS protection policies block only overt attack attempts. If, in full protection mode, a request was redirected to a CAPTCHA challenge, the API protection mode may let it through to the protected resource.

Actions for Advanced Rate Limiter rules:

• Block requests in excess of the limit. Requests above the specified limit over a period of time will be blocked until the limit period expires. The requesting client will get error 429.

• Temporarily block all requests. Requests above the specified limit over a period of time will be blocked for a fixed period of time, rather than until the end of the limit period. The requesting client will get error 429. You can block requests for a period from 1 second to 24 hours.

• Send requests in excess of the limit to captcha. Requests above the specified limit over a period of time will be sent to SmartCaptcha.

  Requests exceeding the limit will be sent to CAPTCHA. You can configure CAPTCHA in the security profile to which the ARL profile is connected. This helps differentiate legitimate users from bots, ensuring that requests are not fully blocked and the application remains available.

  Warning

  Do not use CAPTCHA for HTTP requests with dynamic content loading (ajax, xhr, iframe) and requests to mobile applications.

To standardize client response pages for triggered rules, you can create your own response templates.

The requests that were allowed by all rules and let through to the protected resource are called legitimate.

General principles of the rulesGeneral principles of the rules

• All rules of a profile are triggered simultaneously; a single request may have several rules associated with it. The request's final action is determined by the highest-priority rule.

• Assign higher priority to:

  • Rules that allow requests.
  • Rules with filtering based on specific parameters.

  Otherwise, general rules with broader conditions may be applied to the request.

• If you are using a WAF rule for a traffic slice, a separate Smart Protection rule against DDoS attacks is not required for that same slice, as it is already included in the WAF rule. Therefore, WAF rules have full protection and API protection modes.

• In API protection mode, requests are not sent to SmartCaptcha. Use this mode for automated traffic, mobile applications, and requests with dynamic content loading, e.g., ajax, xhr, and iframe.

• ARL profile rules apply after the security profile and may block some legitimate requests. Therefore, if you have configured allowing rules in the security profile, duplicate them in the ARL profile.

• In Logging only mode, traffic handling is not affected by the rules; instead of them, the next lower priority rule in regular operation mode applies.

Security profileSecurity profile

Security profile rules apply to all traffic according to the priority: the lower the number, the higher the priority. The sequence in which the rules will apply is provided in the table below.

Priority	Rule name	Action	Rule description
8000	allow-captcha	Allow	Basic for captcha
9000	allow-by-list	Allow	Basic for white IP addresses
9100	block-by-list	Deny	Basic for black IP addresses
9200	block-by-geo	Deny	Basic by regions
900000	api-protection	API protection	Smart Protection for the public API
999900	sp-rule-1	Full protection	Smart Protection from a ready-made template
1000000		Allow	Basic default

The Allow action is set for the basic default rule, while other rules are in the Logging only (dry run) mode. When switching rules to regular operation mode, set the Deny action for the basic default rule.

ARL profileARL profile

ARL profile rules are applied to traffic that has already been validated by security profile rules. The ARL profile has its own priority system, independent of how the security profile rules are prioritized. The lower the number, the higher the ARL rule priority. The sequence in which the rules will apply is provided in the table below.

Priority	Rule name	Action	Rule description
1000	arl-rule-1	Block requests in excess of the limit	Limits general load on resource
2000	arl-rule-2	Temporarily block all requests	Protects against bots, parsers, brute-force attacks, spam
3000	arl-rule-3	Send requests in excess of limit to captcha	Limits requests to the API

You can configure ARL rules with any priority values. In Logging only mode, ARL rules do not block requests but log over-limit events.