---
myst:
  html_meta:
    "description lang=en": "Kasm Workspaces built in Web Filtering configuration. Choose web content to black and whitelist based on URLs and Domain categorization."
    "keywords": "Kasm, Web, Filtering, Proxy, Content, Moderation"
    "property=og:locale": "en_US"
---
```{title} Web Filtering
```

# Web Filtering

Administrators can limit access to websites by defining **Web Filter Policies**.

Once a policy is created it can be assigned to any number of groups via [Group Setting](../guide/groups.md#group-settings)
or directly to {doc}`Workspaces <../guide/workspaces>` . Policies set on the Workspaces take priority over those assigned to Groups.

```{figure} /images/web_filtering/denied.png
:align: center
**Denied Request**
```

## Configuration

```{figure} /images/web_filtering/policy.webp
:align: center
**Filter Policy**
```

```{figure} /images/web_filtering/policy2.webp
:align: center
**Filter Policy Advanced**
```

```{note}
Use of the **Categorization** requires a license. Kasm Workspaces must also have live internet access to communicate with the categorization service.
Please contact your Kasm Technologies representative for details.
```

```{eval-rst}
.. table::
    :widths: 100

    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | **Property**          | **Description**                                                                                                                                                                                                               |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Name                  | A name for the policy                                                                                                                                                                                                         |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Description           | A description for the policy                                                                                                                                                                                                  |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Deny By Default       | If checked, all requests will be **denied** unless the domain is added to the **Domain Whitelist**, or the category of the domain is set to **allow**.                                                                        |
    |                       |                                                                                                                                                                                                                               |
    |                       | If unchecked, all requests will be **allowed** unless the domain is added to the **Domain Blacklist**, or the category of the domain is set to **deny**.                                                                      |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Domain Blacklist      | A list of domains to reject. Enter one domain per line. Sub-domains are automatically matched unless explicitly defined elsewhere.                                                                                            |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Domain Whitelist      | A list of domains to allow. Enter one domain per line. In the event of a conflict, the blacklist takes priority. Sub-domains are automatically matched unless explicitly defined elsewehere.                                  |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Enable Safe Search    | When enabled, *Safe Search* for popular search engines will enforced using the **Safe Search Patterns**. Google, Bing, Yandex, DuckDuckGo, and Yahoo are supported by default.                                                |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Enable Categorization | If checked, requested domains will be checked against Kasm's url categorization service. Each category can be set to **Allow**, **Deny**, or **Inherit**. Inherited categories will utilize the **Deny By Default** setting.  |
    |                       |                                                                                                                                                                                                                               |
    |                       | Domains specified in the **Domain Whitelist** or **Domain Blacklist** take priority over categorization.                                                                                                                      |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | URL Categories        | Administrators can choose to **Allow**, **Deny** or **Inherit** the default rule for each category. If **Inherit** is selected, the category will be allowed/denied based on the **Deny By Default** setting                  |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Disable Logging       | When enabled, no access related logs will be produced.                                                                                                                                                                        |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Safe Search Patterns  | A data structure containing the URL rewrite rules used to apply **Safe Search**.                                                                                                                                              |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | SSL Bypass Domains    | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of domains that will bypass this inspection to restore  |
    |                       | functionality. Enter one domain per line. To match all subdomains domains, prefix a period before the domain :code:`.google.com`                                                                                              |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | SSL Bypass IPs        | Web Filtering uses SSL inspection technology to enforce policy. In some cases, this technology will not be compatible with a website. Administrators can enter a list of IPs that will bypass this inspection to restore      |
    |                       | functionality. Enter an IP or CIDR notation one per line.                                                                                                                                                                     |
    +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+


```