Skip to main content

What are Policies?

Policies are collections of guardrails that define what should be protected and how. They provide a structured way to organize security rules and apply them consistently across different environments and use cases.

Policy Components

Guardrail Configurations

Policies specify which guardrails to apply:
  • Guardrail selection: Choose from available detection rules
  • Custom settings: Override default configurations
  • Sensitivity tuning: Adjust detection thresholds
  • Placeholder customization: Set custom replacement text

Enforcement Levels

Policies define how strictly to enforce rules:
  • BLOCK: Prevent requests with violations
  • WARN: Allow requests but log violations

Scope Definition

Policies specify where they apply:
  • Global policies: Apply to all projects and environments
  • Environment-specific: Different rules for production vs. staging
  • Service-specific: Tailored policies for different APIs
  • Team-specific: Policies for different departments

Policy Types

Compliance Policies

Designed to meet regulatory requirements:

HIPAA Compliance

{
  "name": "HIPAA Compliance Policy",
  "description": "Protects patient health information",
  "guardrails": [
    {
      "type": "pii",
      "patterns": ["\\b\\d{3}-\\d{2}-\\d{4}\\b"],
      "enforcement": "BLOCK",
      "placeholder": "[PHI-REDACTED]"
    },
    {
      "type": "medical-content",
      "enforcement": "BLOCK",
      "placeholder": "[MEDICAL-CONTENT-BLOCKED]"
    }
  ]
}

PCI Compliance

{
  "name": "PCI Compliance Policy",
  "description": "Protects payment card data",
  "guardrails": [
    {
      "type": "pii",
      "patterns": ["\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"],
      "enforcement": "BLOCK",
      "placeholder": "[CARD-REDACTED]"
    },
    {
      "type": "cvv",
      "patterns": ["\\b\\d{3,4}\\b"],
      "enforcement": "BLOCK",
      "placeholder": "[CVV-REDACTED]"
    }
  ]
}

Security Policies

Focus on preventing data breaches and unauthorized access:

Secrets Protection

{
  "name": "Secrets Protection Policy",
  "description": "Prevents credential leaks",
  "guardrails": [
    {
      "type": "api-keys",
      "patterns": ["sk-[a-zA-Z0-9]{20,}"],
      "enforcement": "BLOCK",
      "placeholder": "[API-KEY-REDACTED]"
    },
    {
      "type": "passwords",
      "enforcement": "WARN",
      "placeholder": "[PASSWORD-REDACTED]"
    }
  ]
}

Content Moderation

{
  "name": "Content Moderation Policy",
  "description": "Filters inappropriate content",
  "guardrails": [
    {
      "type": "profanity",
      "enforcement": "WARN",
      "placeholder": "[CONTENT-FILTERED]"
    },
    {
      "type": "hate-speech",
      "enforcement": "BLOCK",
      "placeholder": "[HATE-SPEECH-BLOCKED]"
    }
  ]
}

Development Policies

Tailored for development and testing environments:

Development Safety

{
  "name": "Development Safety Policy",
  "description": "Basic protection for dev environments",
  "guardrails": [
    {
      "type": "secrets",
      "enforcement": "WARN",
      "placeholder": "[DEV-SECRET-REDACTED]"
    },
    {
      "type": "pii",
      "enforcement": "WARN",
      "placeholder": "[DEV-PII-REDACTED]"
    }
  ]
}

Policy Management

Policy Creation

  1. Define scope: Determine where the policy applies
  2. Select guardrails: Choose appropriate detection rules
  3. Configure enforcement: Set BLOCK/WARN/ALLOW levels
  4. Test configuration: Validate with sample data
  5. Deploy policy: Apply to target projects

Policy Versioning

  • Version control: Track policy changes over time
  • Rollback capability: Revert to previous versions
  • Change documentation: Log all modifications
  • Approval workflow: Require review for policy changes

Policy Testing

  • Sandbox environment: Test policies safely
  • Sample data validation: Verify detection accuracy
  • Performance testing: Ensure policies don’t impact performance
  • False positive analysis: Minimize incorrect detections

Policy Inheritance

Global Policies

Applied to all projects by default:
  • Base security: Fundamental protection rules
  • Compliance requirements: Regulatory mandates
  • Organization standards: Company-wide policies

Project-Specific Policies

Override or extend global policies:
  • Additional guardrails: Extra protection for sensitive projects
  • Relaxed enforcement: Less strict rules for internal tools
  • Custom configurations: Project-specific settings

Environment Policies

Different rules for different environments:
  • Production: Strict enforcement, BLOCK violations
  • Staging: Moderate enforcement, WARN violations
  • Development: Relaxed enforcement, ALLOW violations

Policy Examples

Healthcare API Policy

{
  "name": "Healthcare API Policy",
  "scope": ["patient-portal", "medical-records"],
  "enforcement": "BLOCK",
  "guardrails": [
    {
      "type": "hipaa-pii",
      "patterns": [
        "\\b\\d{3}-\\d{2}-\\d{4}\\b",
        "\\b[A-Z]{2}\\d{6}\\b"
      ],
      "placeholder": "[PHI-REDACTED]"
    },
    {
      "type": "medical-advice",
      "enforcement": "BLOCK",
      "placeholder": "[MEDICAL-ADVICE-BLOCKED]"
    }
  ]
}

Financial Services Policy

{
  "name": "Financial Services Policy",
  "scope": ["payment-gateway", "trading-api"],
  "enforcement": "BLOCK",
  "guardrails": [
    {
      "type": "financial-data",
      "patterns": [
        "\\b\\d{4}-\\d{4}-\\d{4}-\\d{4}\\b",
        "\\b\\d{8,17}\\b"
      ],
      "placeholder": "[FINANCIAL-DATA-REDACTED]"
    },
    {
      "type": "investment-advice",
      "enforcement": "BLOCK",
      "placeholder": "[INVESTMENT-ADVICE-BLOCKED]"
    }
  ]
}

E-commerce Policy

{
  "name": "E-commerce Policy",
  "scope": ["checkout-api", "customer-service"],
  "enforcement": "WARN",
  "guardrails": [
    {
      "type": "pci-data",
      "patterns": [
        "\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b"
      ],
      "placeholder": "[CARD-REDACTED]"
    },
    {
      "type": "customer-pii",
      "enforcement": "WARN",
      "placeholder": "[CUSTOMER-DATA-REDACTED]"
    }
  ]
}

Best Practices

Policy Design

  • Start simple: Begin with basic policies and add complexity
  • Test thoroughly: Validate policies with real data
  • Document decisions: Record why policies are configured this way
  • Regular reviews: Audit policy effectiveness regularly

Performance Considerations

  • Minimize complexity: Simple policies perform better
  • Cache frequently: Cache policy configurations
  • Monitor impact: Track performance impact of policies
  • Optimize patterns: Use efficient regex patterns

Compliance Management

  • Audit trails: Log all policy violations and actions
  • Regular reviews: Schedule periodic policy audits
  • Incident response: Plan for policy violations
  • Training: Educate teams on policy requirements

Next Steps

Guardrails

Learn about the detection rules that make up policies.

Gateway Projects

See how projects use policies in Gateway.