Policies

  • Published on Mar 14, 2025
  • 2 minute(s) read

Policies define the security rules you can leverage to protect your application ecosystem from threats like unauthorized access, SQL injection, and malicious traffic. These policies enable you to control the security of your application based on your configuration of the predefined and custom rules.

Policy Types

Traceable divides policies into three categories:

Category

Description

WAF (Web Application Firewall) Policies

Pre-defined rules that protect your application from web-based security threats, offering protection against OWASP Top 10 security breaches, SQL injection, Cross-site scripting (XSS), malicious traffic, etc. For more information, see WAF.

API Protection Policies

Pre-defined rules that protect your APIs from threats such as broken authorization, JWT anomaly, etc. These policies help identify API-specific vulnerabilities, attack patterns, and enforce security controls accordingly. For more information, see API Protection.

Custom Policies

Allows you to define tailored security rules for protecting your application against malicious sources, API abuse or overuse, data loss, etc. The custom policies are divided into the following categories:

  • Malicious Sources — Rules to protect your APIs from known malicious sources such as suspicious users, IPs with poor reputations, sanctioned countries, Tor, etc.

  • Custom Signatures — Rules with custom rules based on patterns you would like Traceable to use in blocking. This feature is useful if you are migrating to Traceable from a legacy WAF and have created custom rules you wish to continue using. The rules can be configured for detection and blocking (optional).

  • Rate Limiting — Rules enabling you to control the incoming traffic to an API by limiting the number of requests from a user within a given period. After reaching the limit, the rule blocks the violating users.

  • Data Loss Prevention — Rules that let you control access patterns for sensitive data to an API within a given period. Sensitive data access is tracked based on the criteria you define for the API Endpoints. After the data access limit is reached, the rule rejects all requests from that user, thereby avoiding any exfiltrating attempts of sensitive data.

  • Enumeration — Rules that enable you to look for specific data in request parameters, path parameters, or sensitive data being enumerated within a given period. By selecting relevant APIs, you can use this rule to prevent credential stuffing attempts, gift card fraud, etc. After reaching the limit, the rule rejects all requests, protecting the API from enumeration-based attacks.

For more information, see Custom Policy.

How are the Policies Helpful?

The policies are helpful as they help you detect and block malicious actions and regulate API requests while ensuring proper authorization and validation. When you use automatic monitoring and blocking using the pre-defined policies, the threat actor is immediately recognized and is either monitored or blocked. If blocked, it does not have a window of opportunity to damage your system.

Using customizable policies, you can enhance your application's API and WAF protection and mitigate threats while maintaining application performance and reducing manual intervention.