---
myst:
html_meta:
"description lang=en": "Kasm Workspaces built in Web Filtering configuration. Choose web content to black and whitelist based on URLs and Domain categorization."
"keywords": "Kasm, Web, Filtering, Proxy, Content, Moderation"
"property=og:locale": "en_US"
---
```{title} Web Filtering
```
# Web Filtering
Administrators can limit access to websites by defining **Web Filter Policies**.
Once a policy is created it can be assigned to any number of groups via [Group Setting](../guide/groups.md#group-settings)
or directly to {doc}`Workspaces <../guide/workspaces>` . Policies set on the Workspaces take priority over those assigned to Groups.
```{figure} /images/web_filtering/denied.png
:align: center
:width: 90%
Denied Request
```
## Configuration
```{figure} /images/web_filtering/policy.png
:align: center
:width: 80%
Filter Policy
```
```{figure} /images/web_filtering/policy2.png
:align: center
:width: 80%
Filter Policy Contd.
```
```{note}
Use of the **Categorization** requires a license. Kasm Workspaces must also have live internet access to communicate with the categorization service.
Please contact your Kasm Technologies representative for details.
```
```{eval-rst}
.. table::
:widths: 100
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **Property** | **Description** |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Name | A name for the policy |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | A description for the policy |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Deny By Default | If checked, all requests will be **denied** unless the domain is added to the **Domain Whitelist**, or the category of the domain is set to **allow**. |
| | |
| | If unchecked, all requests will be **allowed** unless the domain is added to the **Domain Blacklist**, or the category of the domain is set to **deny**. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Domain Blacklist | A list of domains to reject. Enter one domain per line. Sub-domains are automatically matched unless explicitly defined elsewhere. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Domain Whitelist | A list of domains to allow. Enter one domain per line. In the event of a conflict, the blacklist takes priority. Sub-domains are automatically matched unless explicitly defined elsewehere. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Enable Safe Search | When enabled, *Safe Search* for popular search engines will enforced using the **Safe Search Patterns**. Google, Bing, Yandex, DuckDuckGo, and Yahoo are supported by default. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Enable Categorization | If checked, requested domains will be checked against Kasm's url categorization service. Each category can be set to **Allow**, **Deny**, or **Inherit**. Inherited categories will utilize the **Deny By Default** setting. |
| | |
| | Domains specified in the **Domain Whitelist** or **Domain Blacklist** take priority over categorization. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| URL Categories | Administrators can choose to **Allow**, **Deny** or **Inherit** the default rule for each category. If **Inherit** is selected, the category will be allowed/denied based on the **Deny By Default** setting |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Disable Logging | When enabled, no access related logs will be produced. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Safe Search Patterns | A data structure containing the URL rewrite rules used to apply **Safe Search**. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| SSL Bypass Domains | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of domains that will bypass this inspection to restore |
| | functionality. Enter one domain per line. To match all subdomains domains, prefix a period before the domain :code:`.google.com` |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| SSL Bypass IPs | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of IPs that will bypass this inspection to restore |
| | functionality. Enter an IP or CIDR notation one per line. |
+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
```