Manage Code Defender policy rules

Once you have created policy rules, you can manage them from the Policy Rules page. Policy rules are organized into different tabs:

• Client-side rules: Rules that allow or block script actions.
• PCI DSS rules: Rules that authorize scripts for PCI DSS 4’s requirement 6.4.3.

Each section separates its available rules into three categories:

• Active: Rules that are currently published and running for each detected script or action.
• Draft: Rules that are not completed or have not been activated yet.
• Archived: Rules that were previously published, but are no longer running.

You can learn about each category below.

Prerequisites

To manage and make changes to policy rules, you must have at least a Developer role.

Active rules

All rules that Code Defender currently enforces are in the Active tab. You can manage a rule by selecting the more options menu next to it. From here, you can:

• Archive rule: Deactivate the policy rule on your application and move it to the Archive tab. When you activate, you must also select a rule priority.
• View/edit rule structure: Make revisions to the rule.
• Duplicate rule: Make a copy of the rule.

You can also drag and drop rules to update Code Defender’s rule priority.

Active rule priority

Code Defender evaluates each script action against active rules by order of priority, starting with rule number 1. This means that, when matching script actions to policy rules, Code Defender uses the following logic:

1. Code Defender attempts to match the script action to the conditions in each policy rule one by one.
2. When Code Defender finds the first policy rule with conditions that match the detected script action, then Code Defender performs the action related to that rule.
3. Code Defender stops attempting to match the script action with any remaining policy rules.

This means that if you have two or more policy rules with matching conditions, then Code Defender will prioritize completing the action associated with the earlier rule, then stop considering the remaining rules. So, for example, say your policy rules are ordered like this:

1. Policy rule that allows all script actions detected on all host domains.
2. Policy rule that allows all scripts actions from all known vendors.
3. Policy rule that blocks specific undesired script actions taken by any script belonging to a specific script vendor.

If your application receives a script from the specified vendor Policy Rule 3, and this script performs the specified undesired actions, those script actions will not be blocked even though the rule exists. This is because this vendor is also considered a known vendor in Policy Rule 2. Since the latter is the earlier rule, it is prioritized, and the vendor will be allowed. Code Defender will never continue on to the next rule.

Draft rules

All rules that you’re currently editing or are not yet active are in the Draft tab. You can manage a rule by selecting the more options menu next to it. From here, you can:

• Activate rule: Start enforcing the policy rule on your application and move it to the Active tab. When you activate, you must also select a rule priority.
• Delete rule: Remove the rule permanently from your account.
• View/edit rule structure: Make revisions to the rule.
• Duplicate rule: Make a copy of the rule. This will also appear in Draft.

Archived rules

All rules that were previously active but have since been deactivated are in the Archive tab. You can manage a rule by selecting the more options menu next to it. From here, you can:

• Activate rule: Start enforcing the policy rule again and move it to the Active tab. When you activate, you must also select a rule priority. See Active rule priority for more information.
• Delete rule: Remove the rule permanently from your account.
• View/edit rule structure: Make revisions to the rule.
• Duplicate rule: Make a copy of the rule. This will also appear in Draft.