Manage Code Defender policy rules

Once you have created policy rules, you can manage them from the Policy Rules page. Policy rules are organized into different tabs:

  • Client-side rules: Rules that allow or block script actions.
  • PCI DSS rules: Rules that authorize scripts for PCI DSS 4’s requirement 6.4.3.

Each section separates its available rules into three categories:

  • Active: Rules that are currently published and running for each detected script or action.
  • Draft: Rules that are not completed or have not been activated yet.
  • Archived: Rules that were previously published, but are no longer running.

You can learn about each category below.

Prerequisites

To manage and make changes to policy rules, you must have at least a Developer role.

Active rules

All rules that Code Defender currently enforces are in the Active tab. There are two types of active rules: mitigation rules and classification rules.

Mitigation rules

Mitigation rules are rules where Code Defender or PCI DSS automatically block or allow script actions if they are present on the deny or allow list respectively. You can click on each rule to view the deny or allow list.

Mitigation rules are prioritized over classification rules. For example, if a script action already exists on the deny list, then Code Defender will block that action and will not process any other rules. This means that, if a classification rule exists for that action, Code Defender will never consider it. For more information, see Active rule priority.

Classification rules

Classification rules are custom rules you created. Code Defender processes these rules if the script action doesn't match any conditions in Mitigation rules.

You can click a classification rule to view its conditions and perform the following actions:

  • Set rule priority: Change the rule's priority. See active rule priority for more information.
  • Archive rule: Deactivate the policy rule on your application and move it to the Archive tab. When you activate, you must also select a rule priority.
  • Open edit mode: Make revisions to the rule.
  • Duplicate rule: Make a copy of the rule.

You can also drag and drop rules to update Code Defender’s rule priority.

Active rule priority

Code Defender evaluates each script action against active rules by order of priority starting with Mitigation rules and then Classification rules with rule number 1. This means that, when matching script actions to policy rules, Code Defender uses the following logic:

  1. Code Defender attempts to match the script action to the conditions in each policy rule one by one.
  2. When Code Defender finds the first policy rule with conditions that match the detected script action, then Code Defender performs the action related to that rule.
  3. Code Defender stops attempting to match the script action with any remaining policy rules.

This means that if you have two or more policy rules with matching conditions, then Code Defender will prioritize completing the action associated with the earlier rule, then stop considering the remaining rules. So, for example, say your policy rules are ordered like this:

  1. Policy rule that allows all script actions detected on all host domains.
  2. Policy rule that allows all scripts actions from all known vendors.
  3. Policy rule that blocks specific undesired script actions taken by any script belonging to a specific script vendor.

If your application receives a script from the specified vendor Policy Rule 3, and this script performs the specified undesired actions, those script actions will not be blocked even though the rule exists. This is because this vendor is also considered a known vendor in Policy Rule 2. Since the latter is the earlier rule, it is prioritized, and the vendor will be allowed. Code Defender will never continue on to the next rule.

Draft rules

All rules that you’re currently editing or are not yet active are in the Draft tab. You can click a rule to view its conditions and perform the following actions:

  • Activate rule: Start enforcing the policy rule on your application and move it to the Active tab. When you activate, you must also select a rule priority.
  • Delete rule: Remove the rule permanently from your account.
  • Open edit mode: Make revisions to the rule.
  • Duplicate rule: Make a copy of the rule.

Archived rules

All rules that were previously active but have since been deactivated are in the Archive tab. You can click a rule to view its conditions and perform the following actions:

  • Activate rule: Start enforcing the policy rule on your application and move it to the Active tab. When you activate, you must also select a rule priority.
  • Move to drafts: Move the rule to the Draft tab.
  • Open edit mode: Make revisions to the rule.
  • Duplicate rule: Make a copy of the rule.