Policies
Browser Security policies control what is detected, what is blocked, and which users and platforms are in scope. Policies are managed in Highflame Studio → Browser Security → Policies and are pushed to enrolled devices automatically — no extension update or user action is required.
Policy structure
Each policy has three sections:
Scope — which users, device groups, or AI platforms the policy applies to
Threat rules — enforcement mode per threat category
Exceptions — domains or users explicitly excluded from enforcement
Enforcement modes
Set per threat category:
Block
Operation cancelled, user notified, violation recorded
Monitor
Operation allowed, violation recorded silently
Allow
No action taken, no recording
Recommended rollout order: Start all categories in Monitor mode for 1–2 weeks to review detections and tune exceptions. Move categories to Block once you are confident in the signal quality.
Configuring a policy
In Highflame Studio → Browser Security → Policies, click New Policy or edit an existing one.
Threat rules
Configure the enforcement mode for each category:
Prompt injection
Monitor
Move to Block after reviewing baseline detections
Data exfiltration
Monitor
Review and add internal domain exceptions before blocking
Token theft
Block
Safe to block immediately — very low false positive rate
File uploads
Monitor
Review file types and platforms in scope before blocking
Clipboard
Monitor
Test with pilot group before broad rollout
XSS / script injection
Block
Safe to block immediately
Storage protection
Block
Safe to block immediately
Scope
Policies can be scoped to:
All devices — applies to everyone in the organization
Device group — applies to a specific group (e.g., finance team, contractors)
User group — synced from your IdP via SCIM (if configured)
AI platforms — restrict prompt inspection to specific platforms rather than all monitored URLs
A device inherits the most restrictive policy that applies to it when multiple policies overlap. Use device groups to apply stricter controls to high-risk populations (e.g., privileged users, users with access to regulated data).
Exceptions
Add domains to the exception list to exclude them from data exfiltration and token theft checks. Common candidates:
Internal API domains (
api.internal.company.com)Trusted partner domains
SSO and identity provider endpoints
Exception domains bypass data exfiltration and token theft checks entirely. Only add domains you fully control.
Default policy
All newly enrolled devices receive the Default Policy until a more specific policy is applied. The default policy runs all categories in Monitor mode with no exceptions.
Policy sync
Policy changes take effect on enrolled devices within 60 seconds. Devices poll for policy updates on each new browser tab open and every 60 seconds while active. There is no need to re-deploy the extension or restart the browser.
If a device is offline when a policy changes, it will apply the updated policy the next time it comes online.
Recommended configurations
Initial deployment (all users)
All categories in Monitor mode. Run for 2 weeks to establish a detection baseline.
Production enforcement (standard users)
Prompt injection
Block
Data exfiltration
Block
Token theft
Block
File uploads
Monitor
Clipboard
Block
XSS / script injection
Block
Storage protection
Block
High-security users (finance, legal, privileged access)
All categories in Block mode with a tighter exception list and alerts configured for every violation.
Last updated