Website Rules

This page includes:

About website rules

This page describes the Website Rules tab inside each policy. For details on policies, see Policies. The Website Rules tab enables you to define rules for specific domains and categories. This helps to prevent the loss of data [DLP] and enables you to implement URL filtering.

To open the Website Rules tab:

In the Advanced Browser Security Console, select Policies.
Open the required policy, and then click the Website Rules tab.

About website access

When the ABS extension is active, access to websites is determined by detection settings and website rules:

Detection settings

Affect detection only

Determine whether [and how] to apply the Perception Point X‑Ray malicious detection mechanisms when a user tries to access a website. These detection mechanisms may prevent access to specified sites - depending on the detected maliciousness of the site. For example, the Warn website detection mode warns users before they access potentially malicious sites, but doesn't prevent access. In contrast, the Block website detection mode prevents users from accessing potentially malicious sites.

Important: Block pages and warning pages that appear due to suspected malicious behavior [based on Detection settings] have a red background.

For details on detection settings, see Detection Settings.

Use the URL allow list in Perception Point X‑Ray to allow access to a specific website and "override" the standard detection mechanisms. For details, see Configuring the "URL allowlist".
Use the URL block list in Perception Point X‑Ray to block access to a specific website and "override" the standard detection mechanisms. For details, see Configuring the "URL blocklist".

Website rules

Based on the organization policy, including browser governance and DLP

Determine whether a user can access a website, based on the policy that is set by the organization. For example, you can create a website rule that will prevent users from accessing websites that are categorized as "Adult Content".

Important: Block pages and warning pages that appear due to policy restrictions [Website rules] have a gray background.

Detection settings vs Website rules

Scenario 1

The setup: You create a Website rule that allows access to a specific website, and in Detection Settings, the website detection is set to block malicious sites [that is, the Block website detection mode is selected].

The user knows that the website is safe.
The action: A user tries to access the specific website.
The result: The ABS extension determines that the specific website is malicious, and the user isn't able to access the website - even though the website rule is configured to allow access.
The workaround: To bypass the detection mechanisms and allow access to the specific website [despite the malicious detection], you'll need to add the website to the URL allow list in Perception Point X‑Ray.

Scenario 2

The setup: A website is included in the "URL allow list" in Perception Point X‑Ray, and as a blocked website in the Website Rules tab.
The action: A user tries to access the website.
The result: The user is blocked from accessing the website.

Website rule options

You can include the options below inside each website rule.

Note: Some of the options below may not be available for category-based and group-based rules.

Access to domain/category/group

Allow: Allows access to the specified domain, to websites in the specified category, or to domains in the specified destination group.
Warn: Displays a warning message when a user tries to access the specified domain, a website in the specified category, or a domain in the specified destination group.

The user can choose to either adhere to the warning [and not proceed to the website], or to dismiss the warning and then access the website.
Block: Prevents access to the specified domain, to websites in the specified category, or to domains in the specified destination group.

For more information, see About website access above.

Attempts to access blocked or "warned" domains or categories are logged in the extension activity table. For details, see Extension Activity.

Note: Websites that are blocked due to this setting are not scanned for suspicious content. Consequently, no scan data is displayed in the Scans page in Perception Point X‑Ray.

Custom block/warn message

The specified custom message will appear when a user tries to access a domain [or a website in a category] that is blocked or that has been configured to trigger a warning message when access is attempted. A custom message can be useful for presenting specific warnings or corporate policy information related to a specific website (for example, a Generative AI website) or category.

If no text is specified, then the default message text will be displayed.

Note: The custom message control appears only if either the Block or Warn options is selected for the Website access option above.

Paste-out

Prevents users from copying text from the specified domain, and then pasting the text into another website or into an application. For example, you can prevent users from copying text from the acme.com domain and then pasting the text into another website or into an application such as WordPad.

When a user copies text from a "blocked" domain, and then tries to paste the text into another website or application, the paste operation is blocked, and a user notification is displayed.

By default, when a user copies text from a "blocked" domain, and then tries to paste the text into another website or application, nothing is pasted. You can specify the text string that will be pasted.

Configuring UI text when paste-out is blocked

You can use the clipboardForbiddenText advanced feature to specify the text string that will be pasted when a user tries to copy-and-paste text from a domain [or website] from which copying-and-pasting is prevented. For details on how to add an advanced feature, see Advanced Features.

Advanced feature

Description

clipboardForbiddenText

Specifies the text that will be pasted when a user tries to copy-and-paste text from a domain from which copying-and-pasting is prevented. For example:

You are not allowed to copy to this site.

Default: empty

This feature blocks the copying and pasting of text only - not graphics.
This feature blocks text that was copied using either Ctrl-C or selecting a copy option using the mouse.
Blocked paste-out attempts are not logged in the extension activity table. For details, see Extension Activity.
This feature does not affect taking screen-captures in the specified domain [or website in a specified category]. Advanced Browser Security is not able not block screen-captures [screenshots].

Printing

By default, printing is allowed from all domains. This setting lets you prevent [block] printing from the specified domain [or website in a specified category]. For example, you can prevent printing from acme.com.

If you try to print from a site from which printing is prevented, a blank page will be printed.
Blocked printing attempts are not logged in the extension activity table. For details, see Extension Activity.

Watermarks

Shows a watermark in the browser UI when visiting the specified domain [or website in a specified category]. The watermark will be visible in screen captures of the browser UI - thereby helping to deter information leakage. By default, each watermark consists of multiple instances of the user's email address.

Note: Watermarks will not be displayed if the website detection mode is set to Disabled. For details, see Website detection options.

Configuring watermarks

Each watermark can consist of two parts:

Part 1: The email address of the user that is signed-in to the extension.
Part 2: [Optional] A static text string. You specify the text string that should be displayed.

The watermark appears as <Part 1><Part 2>. For example:

Peter-Jones@acme.com - Acme Corporation [Finance Department]

You can modify the color and the opacity of the watermark text.
You can't modify the size or the inclination of the watermark text.

You can configure the advanced features below to customize the watermarks that are displayed in a browser that is protected by the extension. For details on how to add an advanced feature, see Advanced Features.

Advanced feature

Description

watermarkAdditionalText

Lets you specify additional text [Part 2 - above], that will appear to the right of the user's email address. For example:

Acme Corporation [Finance Department]

Default: blank - Additional text does not appear.

watermarkCustomColor

Specifies the color of the watermark text.

Use hex format, without the "#" character. For example:

3366cc

Default: 999999 [Gray]

watermarkCustomOpacity

Specifies the opacity of the watermark text, between 0 and 1.

1 is fully opaque, 0 is transparent.

The default is 0.1

File uploads

Prevents uploading files to the specified domain [or website in a specified category].

Note: When you configure a File upload action in a rule, you can enter a lone wildcard character [*] to define the domain. A lone wildcard character represents all domains.

Important: This lone wildcard character functionality is currently applied to File upload actions and the blur feature only - it is ignored by all other action types that are included in the rule.

By default, successful upload attempts are not logged in the extension activity table; blocked upload attempts are logged. You can configure successful upload attempts to be logged as well. For details, see Audit file uploads.

Blurring

Blurs all pages in the specified domain or category when these pages are not in focus. This helps to limit information leakage to nearby people who should not have access to information in these websites. This feature is also referred to as an "inactivity mask".

Note:

Blurring occurs only in those browsers that have the ABS browser extension installed.
As soon as a blurred website comes into focus, the blurring of the website is removed.
Websites won't be blurred if the website detection mode is set to Disabled. For details, see Website detection options.
Websites are not blurred in Safari browsers.
If the Blur column does not appear in the list of website rules, click the "Change columns" icon [] on the right of the website rules table, and then select the Blur check box.

Sensitive data detection

Warns end-users when they input sensitive data into specified websites.

Warnings about sensitive data input are logged in the extension activity table. For details, see Extension Activity.

For additional information about warning end-users when they input sensitive data into websites, see Detecting input of sensitive data into websites.

Note: You can configure detection of inputting sensitive data into websites only if this functionality has been enabled. For details, see Enabling detection of inputting sensitive data into websites.

Download blocklist

Prevents downloading of files with specified extensions - from the specified domain [or website in a specified category].

Specify the required extensions to block.
Attempts to download files that have blocked extensions are logged in the extension activity table. For details, see Extension Activity.
You can select the "Block all file extensions" check box to block all file extensions from being downloaded.

Limitation: The download blocklist is not functional when the file detection mode is set to Disabled. For details, see File detection mode.

File access mode override

Overrides the file download access mode that is specified in the Detection Settings tab - for the specified destination only. For details on the file download access mode, see Prevent access to downloaded files until the scan is complete.

Report events

When selected: Advanced Browser Security will send blocked or warned events that are triggered by this rule, to the following:
- the Extension Activity page in the Advanced Browser Security console
- the Events page in Perception Point X‑Ray
- SIEM integrations
When not selected: Advanced Browser Security will not send blocked or warned events that are triggered by this rule to the three destinations listed above. This is typically done for privacy reasons, so that there is no record of users accessing sites in specified domains or website categories.

Note: In addition to the functionality described in the table above, various advanced features can be used to enhance DLP. Advanced features override any settings included in the table above. When available, the available advanced features are referenced in the table above.

Adding website rules

Note: Changes that you make to the settings in the Website Rules tab may take up to 30 minutes to take effect - after the changes are saved.

When you add a new rule, you specify if it will be a domain-based rule, a category-based rule, or a group-based rule:

Domain-based: The rule applies to a domain that you specify. The domain must be a valid URL domain, such as acme.com. To define a domain, you can include wildcard characters [*] such as *.xyz.com

Category-based: The rule applies to a specified category, such as Adult, Drugs, or Generative AI. Advanced Browser Security uses a third-party tool to categorize all websites. When you create a category-based rule, you select the category, and then configure the options that will apply to that category.

Note:

If a web-page is blocked by a category-based rule, all "allow" website rules [such as "printing", "uploading files" etc - see Website rule options above] will not be allowed.
Attempts to access URLs that are included in a blocked category are logged in the extension activity table. For details, see Extension Activity.
Websites that are blocked due to this website setting are not scanned for suspicious content. Consequently, no scan data is displayed in the Scans page in Perception Point X‑Ray.

Group-based: The rule applies to all the domains that are specified in the selected destination group. For details on destination groups, see Destination Groups [WIP].

Rule priority

A matching rule that is higher in the list of rules takes precedence over a matching rule that is lower down. For example, if rule #2 allows access to a specific website, and rule #5 prevents access to the same website [even using a category-based rule], access to the website will be allowed.

Tip: This functionality enables you to block access to a certain web category, but allow access to a specific website in that category. For example, you could allow access to a specific alcohol-related website [MyAlcohol.com - Rule #1], while preventing access to all other websites that are categorized as "Alcohol and Tobacco" websites [Rule #2].

Drag a rule up or down to change its precedence. Use the drag-and-drop controls on the left of the rules list to move a rule.

Adding domain-based website rules

To add a domain-based website rule:

In the Advanced Browser Security console, click Policies, open a rule, and click the Website Rules tab.
Click Add new rule, and then select Domain-based rule.

In Destination, specify the domain to which the new rule will apply.

Configure the available settings. See Website rule options above for information about each setting.
Click Add rule. The new rule is added to the top of the rules list.

Adding category-based website rules

To add category-based website rules:

In the Advanced Browser Security console, click Policies, open a rule, and click the Website Rules tab.
Click Add new rule, and then select Category-based rule.
Select the pre-defined categories that you want to include in the new rule. [You can select multiple categories.]

Configure the available settings. See Website rule options above for information about each setting.

Note: The following website rule options are not available for category-based rules:

Preventing paste-out
File access mode override

Click Add rule. A new rule for each of the selected categories is added at the bottom of the rules list.

Adding group-based website rules

You can add a group-based rule only if you have at least one destination group already defined. For details on destination groups, see Destination Groups [WIP].

To add a group-based website rule:

In the Advanced Browser Security console, click Policies, open a rule, and click the Website Rules tab.
Click Add new rule, and then select Group-based rule.
In Destination, select the destination group to which the new rule will apply.
Configure the available settings. See Website rule options above for information about each setting.
Click Add rule. The new rule is added to the top of the rules list.

Checking associated categories

You can check which categories are associated with specified URLs or domains. This is useful when you want to add a category to a website rule, but you are not sure what categories are associated with a specific domain.

To check which categories are associated with a specified URL or domain:

In the Advanced Browser Security Console, select Policies.
Open the required policy, and then click the Website Rules tab.

Below the table, click "Check category". The Check URL or domain Category pane opens on the right-side.

Note: If there are no rules defined, then select Add new rule > Check category.

Specify a valid URL or domain, and then click Check. The associated categories will appear.