Granular Access Control

SquareX’s policy engine is the most advanced web workflow policy framework, providing granular access to all the available properties on the browser along with context and user identity awareness.

From regular site visits, file downloads, browser extensions to complex DLP and identity problems, enterprises can solve any use case with our granular access controls.

The policy engine consists of a Rule Builder and a Lua Policy Scripting Interface. The rule builder allows enterprises to use SquareX’s predefined properties, for example, domain age, permissions requested (clipboard, camera, microphone), current logged in account, source of copied text, and many more.

For highly complex workflows that extend beyond the capabilities of the rule builder, enterprises can write Lua scripts that have access to the complete DOM of web pages along with native web APIs. This allows enterprises advanced customization and building security on top of any application of their choice.

Our Policy Engine also has an AI integration, making policy creation seamless with simple text prompts.

Block file uploads to non-company Google drive

File upload of company documents to unauthorised websites is a major concern for enterprises. A common example is an employee inadvertently uploading a company document to his personal Google account instead of the company’s. As SquareX has an identity context of the user accessing the application and hence can carry out actions such as allowing uploads of specific files to Google Drive only when the user is logged into their company's account. While this seems like a complicated action, the policy is easy to create with the assistance of SquareX’s policy generating copilot. As an example, simply use the prompt ‘Block source code file upload to drive.google.com when user is not logged into abizzcorp.com’ to generate the appropriate policy. The expected outcome would be:

Isolate access to domains registered within the last 30 days

Newly created domains are frequently used in phishing and other malicious campaigns as they have low traffic and are yet to be analysed by security scanners operated by large enterprises. Isolating these low credibility sites ensures that they are void of any data information available on the browser. Using the policy-generating copilot, admins can prompt Isolate sites created less than 30 days ago to generate the appropriate policy. The expected outcome would be:

Isolate sites referred from social networking sites

Malicious actors heavily leverage social networking sites for various campaigns. They start off by building trust to eventually lead the employee to phishing sites or malicious files. For enterprises, it is safer practice to isolate sites visited and files downloaded from social networking sites. Using the policy-generating copilot, admins can prompt Isolate Sites Referred from Social Networking Sites to generate this policy. The expected outcome would be:

Block file downloads from websites that contain unicode characters in URL

A few years ago, there was a rise in unicode domain phishing - a phenomenon whereby a url that contains unicode renders in a form that appears similar to the original brand site. Since then, many efforts has gone into detecting such URLs, but as with any detection model, they are not perfect and such threats still linger. A snapshot of OpenPhish's link repository will show the prevalence of punycode used in phishing sites. To avoid getting detected as a spam site, many of these links redirect to other sites before the file download is presented to the user. Admins can consider blocking file downloads from URLs that have unicode characters present to avoid the risk. To do so, they can simply give the AI policy generator this prompt 'Block file downloads from websites that contain unicode characters in URL'. The policy will look like this: