Create Security Rule Slider

Use the Create Security Rules slider to create content security policies and page security rules, and to insert JavaScript into your site's code.

Option

Description

Name

Enter a descriptive name for each rule you create. For example, CSP for Checkout Pages.

Rule Type

Content Security Policy	Controls which third parties and other services can access your site's pages.
Page Security	Controls which third parties and other services can access form fields, cookies, and storage.
JavaScript Injection	Inserts JavaScript into your site in the yo.configure call.

The options change dynamically depending on what rule type you select. Use the drop-downs below to see the options for each rule type.

Content Security Policy

Option

Description

Report URL

The URL that the CSP report data will be sent to. The default URL is:
https://qoe-1.yottaa.net/_/csp-reports?siteKey=abcdefghij
where abcdefghij is your site key.

Implementation

Select an implementation type:

CSP Meta Tag	Prevents unwanted domains from accessing your site before the CSP kicks into action. This meta-tag loads in the <head> section of your html.
Service Worker	Implements the Service Worker for the site to handle the CSP requests.
CSP Header	Uses the CSP header to control the resources to load on the page. (Edge Acceleration only)

Access Control

Select an option:

Report Only	Service Blocker does not block any services, but sends reporting data.
Enforce	Applies the CSP rules to your site.

Enable Type

Select an option:

Manually add the call to execute configuration	Allows you to add a line of code to your site's source code to control when the CSP rule runs. When you select this option, the line of code appears for you to copy and paste
Immediately execute configuration upon loading	Executes the rule as soon as the Rapid JS script runs.

Content Directives

The default rule is default-src ‘self’. You can add additional directives by selecting an option from the Add Directive drop-down menu below. Click Show Inventory to select which services are allowed access to your site. Click the arrow next to each service to select its subdomains.

CSP version support depends on the end-users browser type.

Page Security

Option

Description

Security Option

Select an option:

Cookies	Prevent services from accessing your site's cookies.
Local Storage and Session Storage	Prevent services from accessing your site's storage.
HTML Form Events and Properties	Prevent code from accessing events and properties of forms on your site's pages.
User Input Field Events and Properties	Block code from getting user inputted or server set values of form fields.
Secure UI (Form and Input Fields)	Prevents scraping from form and input fields.
Secure Page (Cookies, Storage, Forms and Inputs)	Prevents scraping from cookies, storage, form fields, and input fields.

Access Control Strategy

Allow Third Parties and Domains	Select the third parties and domains that you want to allow.
Block Third Parties and Domains	Select the third parties and domains that you want to block.

Access Control

Report Only	This option does not block third parties and domains, but sends a report about the number of times the third parties and domains you selected attempt to access the page element.
Enforce	This option sets Service Blocker to allow or block the third parties you selected.

Enable Type

Manually add the call to execute configuration	Allows you to add a line of code to your site's source code to control when the rule runs. When you select this option, the line of code appears for you to copy and paste.
Immediately execute configuration upon loading	Executes the rule as soon as the Rapid JS script runs.
Windows Onload	Enables the rule once the web page has become interactive

JavaScript Injection

Option	Description
JavaScript	Enter the JavaScript in the box.

Additional Options

These options are available for all rule types.

Option

Description

Apply to

All Page Views

Applies the rule every time a customer loads a page on your site

Specific Page Views

You can set the following options:

Page URL	Sets what URLs the rule applies to, based on whether any part of the URL contains or excludes certain strings.
User Agent A string generated by the browser that includes the type of browser and device that the customer used to access the page.	Sets what browser or device type the rule applies to.
Geo	Sets what geographic locations the rule applies to.
Header Name Existence	Sets what page views the rule applies to based on whether the page contains or excludes a specific header.
Header Value	Sets what page views the rule applies to based on any header value. Type the header into the first box and the value into the second box.
Client IP	Sets the rule to apply only to specific IP addresses. You can use this property for testing. For example, you could set the rule to apply only for people in your company.
Client Property	This option allows you to set more granular parameters for the browser properties that the rule applies to.
Custom Data Property	Sets the rule to apply to certain data values on your site. For example, you could set the rule to apply to certain product prices.
Split Test	Applies the rule to a set percentage of traffic. Select the split test and the variations in the drop-down menus. For more information on creating split tests, see Split Tests.

Profiles

Sets which profiles to apply the rule to. You can create profiles in Settings > Context Intelligence.

Override States

Apply to Control Traffic	Applies the rule to the traffic that is normally left unoptimized.
Apply During Bypass Mode	Applies the rule even when your site status is set to bypass.

Notes (optional)

Use the Notes field to add important information for your team. For example, if you are creating a temporary rule for testing, you can indicate that in the notes.