Security levels

A security level represents a set of deny rules with different filter strengths. The security level is separately adjustable for each deny rule group. The documentation of the default deny rule groups provides information which deny rule is associated with which security levels. The security level can be adjusted individually per attack type.


Rules in level Basic focus on a low false positive rate, simplifying integration of applications. Note, however, that certain attack variants may not be covered.

Indications for using level Basic:

  • Level Standard requires too many exceptions.
  • Application access is protected by upstream authentication.


Level Standard is the default setting on new mappings. It provides strong filters and a low false positive rate. Exceptions may be required for input fields containing syntactical elements similar to JavaScript or SQL.

Indications for using level Standard:

  • The application is complex or dynamic.
  • The application uses many input fields with unrestricted input values, e.g., free texts or comments.
  • Application access is protected by upstream authentication.
  • Level Strict requires too many exceptions.


Level Strict focuses on blocking many potential attack variants. This level is recommended for very sensitive applications and typically requires some integration effort.

Indications for using level Strict:

  • Login pages and other critical pages exposed directly to the Internet, without upstream authentication.
  • The application is rather simple.
  • Application data is very sensitive (high risk).
  • Low code quality of application.