# Policies

Browser Security policies control what is detected, what is blocked, and which users and platforms are in scope. Policies are managed in **Highflame Studio** → **Browser Security** → **Policies** and are pushed to enrolled devices automatically — no extension update or user action is required.

***

## Policy structure

Each policy has three sections:

* **Scope** — which users, device groups, or AI platforms the policy applies to
* **Threat rules** — enforcement mode per threat category
* **Exceptions** — domains or users explicitly excluded from enforcement

***

## Enforcement modes

Set per threat category:

| Mode        | Behavior                                               |
| ----------- | ------------------------------------------------------ |
| **Block**   | Operation cancelled, user notified, violation recorded |
| **Monitor** | Operation allowed, violation recorded silently         |
| **Allow**   | No action taken, no recording                          |

{% hint style="info" %}
**Recommended rollout order**: Start all categories in **Monitor** mode for 1–2 weeks to review detections and tune exceptions. Move categories to **Block** once you are confident in the signal quality.
{% endhint %}

***

## Configuring a policy

In Highflame Studio → Browser Security → Policies, click **New Policy** or edit an existing one.

### Threat rules

Configure the enforcement mode for each category:

| Category               | Default mode | Notes                                                     |
| ---------------------- | ------------ | --------------------------------------------------------- |
| Prompt injection       | Monitor      | Move to Block after reviewing baseline detections         |
| Data exfiltration      | Monitor      | Review and add internal domain exceptions before blocking |
| Token theft            | Block        | Safe to block immediately — very low false positive rate  |
| File uploads           | Monitor      | Review file types and platforms in scope before blocking  |
| Clipboard              | Monitor      | Test with pilot group before broad rollout                |
| XSS / script injection | Block        | Safe to block immediately                                 |
| Storage protection     | Block        | Safe to block immediately                                 |

### Scope

Policies can be scoped to:

* **All devices** — applies to everyone in the organization
* **Device group** — applies to a specific group (e.g., finance team, contractors)
* **User group** — synced from your IdP via SCIM (if configured)
* **AI platforms** — restrict prompt inspection to specific platforms rather than all monitored URLs

A device inherits the most restrictive policy that applies to it when multiple policies overlap. Use device groups to apply stricter controls to high-risk populations (e.g., privileged users, users with access to regulated data).

### Exceptions

Add domains to the exception list to exclude them from data exfiltration and token theft checks. Common candidates:

* Internal API domains (`api.internal.company.com`)
* Trusted partner domains
* SSO and identity provider endpoints

{% hint style="warning" %}
Exception domains bypass data exfiltration and token theft checks entirely. Only add domains you fully control.
{% endhint %}

***

## Default policy

All newly enrolled devices receive the **Default Policy** until a more specific policy is applied. The default policy runs all categories in **Monitor** mode with no exceptions.

***

## Policy sync

Policy changes take effect on enrolled devices within **60 seconds**. Devices poll for policy updates on each new browser tab open and every 60 seconds while active. There is no need to re-deploy the extension or restart the browser.

If a device is offline when a policy changes, it will apply the updated policy the next time it comes online.

***

## Recommended configurations

### Initial deployment (all users)

All categories in Monitor mode. Run for 2 weeks to establish a detection baseline.

### Production enforcement (standard users)

| Category               | Mode    |
| ---------------------- | ------- |
| Prompt injection       | Block   |
| Data exfiltration      | Block   |
| Token theft            | Block   |
| File uploads           | Monitor |
| Clipboard              | Block   |
| XSS / script injection | Block   |
| Storage protection     | Block   |

### High-security users (finance, legal, privileged access)

All categories in Block mode with a tighter exception list and alerts configured for every violation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.highflame.ai/browser-security/policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.