URL Security Rules
The URL Security Rule (sys_url_security_rule) is designed to define URL templates that must be allowed or denied for use by server API methods. You can create a rule for any method of the server class that uses URLs.
This mechanism works by marking specific URL templates as allowed or denied. Any URL not included in the allowed list is considered denied. To block URLs that fit specific templates, use the denied list type. When there is only a denied list and no allowed list, all URLs that are not denied will be considered allowed.
For one method (for example, SimpleSystem::setRedirect) you can create only one URL Security Rule record that has a unique combination of URL template and List type. If you try to save a duplicate rule, the system prevents it and displays an error message.
The "out-of-the-box" version contains 10 URL security rules that you can edit or add new.
The "out-of-the-box" URL Security Rules
| Method | Restrictions |
|---|---|
| SimpleAttachmentService::createAttachmentByUrl | Protocols allowed: http:// and https://. Protocols denied: file:// and ftp:. |
| SimpleAttachmentService::setUrl | Protocols allowed: http:// and https://. Protocols denied: file:// and ftp. |
| SimpleSystem::setRedirect | Protocols allowed: http:// and https://. No denied list is created. |
Create a URL Security Rule
- Open the URL Security Rule (sys_url_security_rule) table at
{your instance URL}/list/sys_url_security_rule. - Click Create and complete the fields.
- Click Save or Save and exit to apply the changes.
URL Security Rule form fields
| Field | Mandatory | Description |
|---|---|---|
| List type | Y | Specify whether the rule allows or prohibits access. Available options:
|
| Method | Y | Specify the method the rule applies to. For example, SimpleRestRequest::setRequestUrl. |
| URL template | Y | Specify the URL pattern. Use an asterisk (*) to refer to any sequence of characters. For example, http://*. |
| Active | N | Select the checkbox to activate the rule. When cleared, the system does not include it into the verification process. |
URL template syntax
- Use the asterisk (*) to represent any sequence of characters in the URL.
Examples:
*.example.comblocks test.example.com, api.example.com and others.example.com/path/*blocks example.com/path/document_1 and other similar URLs.
- URL security rules support URLs with protocols like
\https://simpleone.ruand without protocols as insimpleone.io. - Extra characters like spaces or line breaks before or after the template are ignored.
- For example, the URL template
example.com/path/*will be converted toexample.com/path/*.
- For example, the URL template