Web Application Protection Policies

Updated
  • Updated on Jul 31, 2025
  • Published on Mar 14, 2025
  • 3 minute(s) read
Prev Next

The Web Application Protection Policy enables you to monitor and block threats for a pre-defined set of threat types. This policy helps your security teams protect your application ecosystem from web app and API attacks such as cross-site scripting (XSS), SQL injection, and PHP attacks.

Web Application Protection Policy

What will you learn in this topic?

By the end of this topic, you will understand:

  • The key features of the Web Application Protection Policy tab.

  • The levels at which you can manage policies.

  • The way to reset all modifications to the default setting.

Key Features

The following are the features of the Web Application Protection Policy tab:

Features

Description

Policy Enablement Status

It shows whether the Web Application Protection policies are enabled or not. Upon enabling, Traceable protects your application from the threat types visible in the tab. For more information, see Policy Management.

Profile

It shows the pre-defined set of actions that are applicable across environments. For more information, see Profiles and Overrides in WAP Policies.

Threat Type/Threat Rule List

It shows pre-defined Web Application Protection rules categorized by Threat Types by default, such as Local File Inclusion.

Aggressive Rules

The highly sensitive rules that protect your application against multiple attacks but may cause false positives. Such rules usually require fine-tuning through exclusion rules.

Traceable shows the Aggressive label corresponding to such Threat Rules.

Rule Information

Shows the following details for each rule:

  • Info — Click the Info () icon to view the Description, Impact, Mitigation, and References of a Threat Rule/Type.

  • Labels — Threat classification based on the OWASP API Security and CWE references.

Severity Levels

Shows the severity assigned to a rule, indicating the impact of the threat it detects.

Actions

It shows the action that Traceable should take regarding the threat detected by the rule. You can configure the following actions for a rule:

  • Monitor — Logs and monitors the threat, but does not block the request.

  • Block — Blocks the requests and flags them as malicious to prevent them from reaching the application.

  • Disable — Turns the rule off, which means no monitoring or blocking.

While you can configure the above action for each threat rule, each Threat Type row shows the count of threat rules categorized by the configured action. For more information, see Policy Management.

Threat Enablement Status

Shows the current status of a Threat Type, Enabled or Disabled.

Note

Disabling a threat type disables all threat rules under it.

Filtering and Grouping

You can filter and/or group rules using the Filter () icon and Group By drop-down.

Policy Management

Policy management follows a hierarchical structure in Traceable, enabling or disabling policies at an environment or granular level. You can manage the components within the Web Application Protection policy tab at the following levels:

Web Application Protection Policy Management

  • Environment Level — You can select the environment from the page’s top right corner and enable or disable the policy from the Status drop-down at the top of the tab. This enables or disables all the threat types collectively on the selected environment. Additionally, you can update the profile you wish to apply across environments.

    Note

    Aggressive rules are disabled by default.

  • Threat Type Level — You can use the Toggle next to the Threat Type to enable or disable the threat rules under it. This enables or disables all the threat rules under it.

  • Threat Rule Level — You can use the Action drop-down next to a Threat Rule to enable (Monitor or Block) or disable (Disable) it.

Enabling the WAP policy or selecting a profile at the environment level enables all threat types and applies the pre-defined configurations, respectively. However, you can also enable or disable the individual threat types/rules, and update profiles according to your requirements. Similarly, when you enable a threat type, you can manage the rules independently.

Note

Any change at either of the above levels in All or specific environments is called an override. For more information, see Profiles and Overrides in WAP Policies.

Reset to Default

You can also reset all configurations to the default setting by clicking the Ellipse () icon corresponding to the Group by drop-down and clicking Reset to default. Upon resetting, Traceable updates the status of policies based on the standard profile you selected above.