Security policies protect your application by inspecting, filtering, and controlling traffic flowing through your Cloudmersive Reverse Proxy Server. You can add multiple security policies to a single reverse proxy server and each policy operates independently.

Overview

The following security policies are available:

Virus Scanning

• Virus Scan File Upload Request (multipart/form-data)
• Virus Scan File Upload Request (multipart/form-data) - Advanced Scan
• Virus Scan POST Raw Binary Data Request (raw POST body)
• Virus Scan POST Raw Binary Data Request (raw POST body) - Advanced Scan
• Virus Scan JSON Binary Data Request (application/json)
• Virus Scan JSON Binary Data Request (application/json) - Advanced Scan
• Virus Scan JSON Binary Data Response (application/json)

Content Inspection

• Spam Detection (multipart/form-data) - Advanced Scan
• Phishing Detection (multipart/form-data) - Advanced Scan
• Fraud Detection (multipart/form-data) - Advanced Scan
• NSFW Content Moderation (multipart/form-data) - Advanced Scan
• DLP PII Detection (multipart/form-data) - Advanced Scan

Web Application Firewall (WAF)

• WAF OWASP Core Ruleset
• Cross-Site Scripting (XSS) Protection for Request Parameters
• SQL Injection (SQLI) Protection for Request Parameters
• XML External Entity (XXE) Protection for XML Post Data
• Strict Request URL Validation
• Administration Path Protection

IP Address

• IP Address Blocklist
• IP Address Allowlist
• Block Known Bot Clients
• Block Known Threat Clients
• Block Known Tor Node Clients

Rate Limiting

• Rate Limit - Per Client IP
• Rate Limit - Global Concurrency Limit
• Rate Limit - Cloudmersive API Key Concurrency Limit

Request and Response Control

• Block HTTP Response Code
• Block HTTP Response Body Substring Match
• Block HTTP Request Method
• Block HTTP Request Path
• Block HTTP Request Body Substring Match

API Management

• Open API v2 (Swagger 2.0) Request Validation

Each policy is described in detail in the sections below, including its purpose and configuration parameters.

Common Configuration Parameters

Every security policy supports the following common configuration parameters:

• URL Match Regular Expression - A regex pattern that, when matched against the fully-qualified request URL, activates the policy. Leave blank to apply to all traffic (default).
• HTTP Response Code when Blocked - The HTTP status code returned to the client when a request is blocked. Default: 403.
• Virus Found HTML Page URL - URL of an HTML page displayed to users when a virus or threat is detected and the request is blocked.
• Error HTML Page URL - URL of an HTML page displayed to users when an error occurs during policy processing.
• Override Content-Type Matching - Override the default Content-Type matching behavior for this policy. You can specify a list of Content-Type header values (one per line) to restrict when this policy activates. Leave blank to match all applicable Content-Type headers.

Virus Scanning Policies

These policies scan incoming requests (and optionally responses) for viruses, malware, and other threats.

Virus Scan File Upload Request (multipart/form-data)

Scans files uploaded via multipart/form-data requests for viruses and malware. This is the standard scan suitable for traditional file upload forms.

Policy-Specific Parameters: None (uses common parameters only).

Virus Scan File Upload Request (multipart/form-data) - Advanced Scan

Performs an advanced virus scan on files uploaded via multipart/form-data requests with additional content inspection and file-type controls.

Policy-Specific Parameters:

• Restrict File Formats - Comma-separated list of allowed file extensions (e.g., .pdf,.docx,.png). Files that do not match are blocked. Leave blank to allow all file formats. Default: Disabled (all formats allowed).
• Allow Executable File Uploads - Allow or block executable files (e.g., .exe, .dll). Default: Block Executables.
• Allow Invalid File Uploads - Allow or block files that fail content verification (corrupted or mismatched file headers). Default: Block Invalid Files.
• Allow Script File Uploads - Allow or block script files (e.g., .js, .ps1, .bat). Default: Block Script Files.
• Allow Macro-Containing File Uploads - Allow or block files containing macros (e.g., macro-enabled Office documents). Default: Block Macro Files.
• Allow Password Protected File Uploads - Allow or block password-protected files that cannot be scanned. Default: Block Password Protected Files.

Virus Scan POST Raw Binary Data Request (raw POST body)

Scans the raw binary POST body of a request for viruses and malware. Use this for APIs or endpoints that accept raw binary data in the request body rather than multipart form uploads.

Policy-Specific Parameters:

• Activate on HTTP Method(s) - Comma-separated list of HTTP methods to trigger the scan on. Leave blank to scan all applicable methods. Default: All applicable methods.

Virus Scan POST Raw Binary Data Request (raw POST body) - Advanced Scan

Performs an advanced virus scan on the raw binary POST body with additional content inspection and file-type controls.

Policy-Specific Parameters:

• Activate on HTTP Method(s) - Comma-separated list of HTTP methods to trigger the scan on. Default: All applicable methods.
• Restrict File Formats - Comma-separated list of allowed file extensions (e.g., .pdf,.docx,.png). Files that do not match are blocked. Leave blank to allow all file formats. Default: Disabled.
• Allow Executable File Uploads - Allow or block executable files. Default: Block Executables.
• Allow Invalid File Uploads - Allow or block files that fail content verification. Default: Block Invalid Files.
• Allow Script File Uploads - Allow or block script files. Default: Block Script Files.
• Allow Macro-Containing File Uploads - Allow or block files containing macros. Default: Block Macro Files.
• Allow Password Protected File Uploads - Allow or block password-protected files. Default: Block Password Protected Files.

Virus Scan JSON Binary Data Request (application/json)

Scans binary data embedded in JSON request bodies (e.g., Base64-encoded file fields) for viruses and malware.

Policy-Specific Parameters:

• JSON Path of Fields to Scan - A JSON path expression that selects which fields in the JSON body to scan for viruses. Leave blank to scan all binary fields. Default: All binary fields.

Virus Scan JSON Binary Data Request (application/json) - Advanced Scan

Performs an advanced virus scan on binary data embedded in JSON request bodies with additional content inspection and file-type controls.

Policy-Specific Parameters:

• JSON Path of Fields to Scan - A JSON path expression that selects which fields in the JSON body to scan. Leave blank to scan all binary fields. Default: All binary fields.
• Restrict File Formats - Comma-separated list of allowed file extensions. Default: Disabled.
• Allow Executable File Uploads - Allow or block executable files. Default: Block Executables.
• Allow Invalid File Uploads - Allow or block files that fail content verification. Default: Block Invalid Files.
• Allow Script File Uploads - Allow or block script files. Default: Block Script Files.
• Allow Macro-Containing File Uploads - Allow or block files containing macros. Default: Block Macro Files.
• Allow Password Protected File Uploads - Allow or block password-protected files. Default: Block Password Protected Files.

Virus Scan JSON Binary Data Response (application/json)

Scans binary data embedded in JSON response bodies from the backend server for viruses and malware before delivering the response to the client.

Policy-Specific Parameters:

• JSON Path of Fields to Scan - A JSON path expression that selects which fields in the JSON response body to scan. Leave blank to scan all binary fields. Default: All binary fields.

Content Inspection Policies

These policies inspect uploaded file content for spam, phishing, fraud, NSFW content, or sensitive data.

Spam Detection (multipart/form-data) - Advanced Scan

Scans document content uploaded via multipart/form-data for spam. Requests containing spam content are blocked.

Policy-Specific Parameters: None (uses common parameters only).

Phishing Detection (multipart/form-data) - Advanced Scan

Scans document content uploaded via multipart/form-data for phishing attempts. Requests containing phishing content are blocked.

Policy-Specific Parameters: None (uses common parameters only).

Fraud Detection (multipart/form-data) - Advanced Scan

Scans document content uploaded via multipart/form-data for fraudulent content. Requests containing fraudulent material are blocked.

Policy-Specific Parameters: None (uses common parameters only).

NSFW Content Moderation (multipart/form-data) - Advanced Scan

Scans image content uploaded via multipart/form-data for NSFW (Not Safe For Work) material. Requests containing NSFW content are blocked.

Policy-Specific Parameters: None (uses common parameters only).

DLP PII Detection (multipart/form-data) - Advanced Scan

Scans document content uploaded via multipart/form-data for Personally Identifiable Information (PII) and other sensitive data types. By default, all sensitive data types are blocked.

Policy-Specific Parameters:

Each data type can be individually set to Allow or Block (default: Block):

• Allow Email Addresses - Allow or block content containing email addresses.
• Allow Phone Numbers - Allow or block content containing phone numbers.
• Allow Street Addresses - Allow or block content containing street addresses.
• Allow Person Names - Allow or block content containing person names.
• Allow Birth Dates - Allow or block content containing birth dates.
• Allow Passport Numbers - Allow or block content containing passport numbers.
• Allow Driver's License Numbers - Allow or block content containing driver's license numbers.
• Allow Social Security Numbers - Allow or block content containing social security numbers (SSNs).
• Allow Taxpayer IDs - Allow or block content containing taxpayer identification numbers.
• Allow Credit Card Numbers - Allow or block content containing credit card numbers.
• Allow Credit Card Expiration Dates - Allow or block content containing credit card expiration dates.
• Allow Credit Card Verification Codes - Allow or block content containing credit card CVV/CVC codes.
• Allow Bank Account Numbers - Allow or block content containing bank account numbers.
• Allow IBAN Numbers - Allow or block content containing International Bank Account Numbers.
• Allow Health Insurance Numbers - Allow or block content containing health insurance numbers.
• Allow Bearer Tokens - Allow or block content containing bearer authentication tokens.
• Allow HTTP Cookies - Allow or block content containing HTTP cookies.
• Allow Private Keys - Allow or block content containing private cryptographic keys.
• Allow Credentials - Allow or block content containing credentials (usernames/passwords).
• Allow Deep Web URLs - Allow or block content containing deep/dark web URLs.
• Allow Source Code - Allow or block content containing source code.
• Allow IP Addresses - Allow or block content containing IP addresses.
• Allow MAC Addresses - Allow or block content containing MAC addresses.

Web Application Firewall (WAF) Policies

WAF OWASP Core Ruleset

Enables a comprehensive set of managed rules that protect against a broad range of web application attacks including SQL injection, cross-site scripting, remote code execution, and more.

Policy-Specific Parameters:

• Deactivate Managed Rules - A list of rule IDs to deactivate, one per line (e.g., 934110). Use this to suppress specific rules that cause false positives for your application. Default: None (all rules active).

Cross-Site Scripting (XSS) Protection for Request Parameters

Inspects GET and POST request parameters for cross-site scripting (XSS) attack payloads. Requests containing XSS payloads are blocked.

Policy-Specific Parameters: None (uses common parameters only).

SQL Injection (SQLI) Protection for Request Parameters

Inspects GET and POST request parameters for SQL injection (SQLI) attack payloads. Requests containing SQL injection payloads are blocked.

Policy-Specific Parameters: None (uses common parameters only).

XML External Entity (XXE) Protection for XML Post Data

Inspects XML POST data for XML External Entity (XXE) injection attacks. Requests containing XXE attack payloads are blocked.

Policy-Specific Parameters: None (uses common parameters only).

Strict Request URL Validation

Validates the request URL against a strict set of allowed characters and patterns. Requests with URLs that contain suspicious or malicious characters are blocked.

Policy-Specific Parameters: None (uses common parameters only).

Administration Path Protection

Blocks access to common administration paths (e.g., /admin, /wp-admin, /phpmyadmin). Requests targeting known administration paths are blocked.

Policy-Specific Parameters: None (uses common parameters only).

IP Address Policies

IP Address Blocklist

Blocks requests from specified IP addresses. All other IP addresses are allowed.

Policy-Specific Parameters:

• IP Addresses - List of IPv4 IP addresses to block, one per line.

IP Address Allowlist

Allows requests only from specified IP addresses and CIDR blocks. All other IP addresses are blocked.

Policy-Specific Parameters:

• IP Addresses - List of individual IPv4 IP addresses to allow, one per line.
• CIDR IP Blocks - List of IPv4 CIDR blocks to allow (e.g., 192.168.1.0/24), one per line.
• Allow Healthcheck Requests to Bypass Policy - When enabled, healthcheck requests are allowed regardless of source IP. Default: No.

Block Known Bot Clients

Automatically blocks requests from IP addresses associated with known bots and automated clients using a continuously updated threat intelligence feed.

Policy-Specific Parameters: None (uses common parameters only).

Block Known Threat Clients

Automatically blocks requests from IP addresses associated with known threat actors, malicious hosts, and compromised systems using a continuously updated threat intelligence feed.

Policy-Specific Parameters: None (uses common parameters only).

Block Known Tor Node Clients

Blocks requests originating from known Tor exit nodes.

Policy-Specific Parameters: None (uses common parameters only).

Rate Limiting Policies

Rate Limit - Per Client IP

Limits the number of requests a single client IP address can make within a specified time window. Requests exceeding the limit are throttled.

Policy-Specific Parameters:

• Rate Limit - Maximum number of requests allowed per time unit.
• Rate Limit Time Unit - The time unit for the rate limit: per Second, per Minute, or per Hour. Default: per Second.

Rate Limit - Global Concurrency Limit

Limits the total number of concurrent requests processed by the reverse proxy, regardless of client IP. Requests exceeding this limit are throttled. This policy controls overall throughput rather than per-client usage.

Policy-Specific Parameters:

• Maximum Number of Concurrent Requests - The maximum number of requests that can be processed concurrently.

Rate Limit - Cloudmersive API Key Concurrency Limit

Limits the number of concurrent requests per Cloudmersive API key. Requests exceeding the per-key concurrency limit are throttled.

Policy-Specific Parameters: None (uses common parameters only).

Request and Response Control Policies

Block HTTP Response Code

Blocks responses with a specific HTTP status code from being returned to the client. When the backend returns the specified status code, the response is replaced with the configured block response.

Policy-Specific Parameters:

• HTTP Response Code to Block - The numeric HTTP response status code to block (e.g., 500).

Block HTTP Response Body Substring Match

Inspects the response body and blocks responses that contain a specified substring.

Policy-Specific Parameters:

• Substring to Match - The substring to search for in the response body. If found, the response is blocked.
• Match Case - Whether the substring match should be case-sensitive or case-insensitive. Default: Case Insensitive.

Block HTTP Request Method

Blocks requests using a specific HTTP method. Use this to restrict which HTTP methods are allowed through the proxy.

Policy-Specific Parameters:

• HTTP Request Method to Block - The HTTP method to block. Options: All Except GET, GET, POST, OPTIONS, PUT, DELETE, HEAD, PATCH, CONNECT, TRACE.

Block HTTP Request Path

Blocks requests targeting a specific URL path.

Policy-Specific Parameters:

• Block HTTP Request Path - The request path to block.

Block HTTP Request Body Substring Match

Inspects the request body and blocks requests that contain a specified substring.

Policy-Specific Parameters:

• Substring to Match - The substring to search for in the request body. If found, the request is blocked.
• Match Case - Whether the substring match should be case-sensitive or case-insensitive. Default: Case Insensitive.

API Management Policies

Open API v2 (Swagger 2.0) Request Validation

Validates incoming requests against an OpenAPI v2 (Swagger 2.0) specification. Requests that do not conform to the defined API schema (invalid paths, parameters, request bodies, etc.) are blocked.

Policy-Specific Parameters:

• Open API Specification - Upload a Swagger 2.0 / OpenAPI v2 JSON specification file that defines the allowed API schema.