# HTTP Access
Use **HTTP Access** policies to control outbound HTTP/HTTPS access based on targeting plus URL rules.
***
### How Matching Works (high level)
URL filters:
* normalize URLs (lowercase, query strings stripped)
* support wildcard matching like `https://*.example.com/*`
* apply only to HttpAccess events
### Step-by-Step: Create an HTTP Access policy (via Advanced JSON)
{% stepper %}
{% step %}
**Navigate to Endpoint Privilege Manager → Policies**
{% endstep %}
{% step %}
**Click Create Policy Button**
This will spawn the Create Policy modal form.
{% endstep %}
{% step %}
**Define Policy Attributes**
Choose a aptly discriptive name for your new policy.
Choose **any existing policy type available in the UI** for your new policy(this is just a starting template since Update Settings is set in JSON).
Choose a status for your new policy. We recommend monitor mode when initially setting up a policy.
Add one or more Controls by clicking on the "Add Control" button and then selecting the controls that you would like to see applied to your new policy.
Choose a User Group, a Machine Collection, and an Application Collection.
{% endstep %}
{% step %}
**Configure Policy Targeting**
Configure any **targeting** you want in the UI (collections/users/machines/apps/platforms). Who or What does your policy apply to?
{% endstep %}
{% step %}
**Open the Policy’s Advanced Mode (JSON view)**
To open the Policy's Advanced Mode, click on the "Advanced Mode" link in the bottom left corner of the Policy Form.
{% endstep %}
{% step %}
**Redefine Policy Type in JSON**
Set: `PolicyType` to **`"HttpAccess"`**
{% endstep %}
{% step %}
**Configure URL Filtering**
Configure URL filtering using the policy’s URL filter field(s) in JSON (exact JSON key names vary by implementation, but the evaluator uses URL patterns and wildcards as described)
{% endstep %}
{% step %}
**Save the Policy**
{% endstep %}
{% endstepper %}
### Important note about field names
The attached docs clearly describe **how URL filtering works**, but they **do not provide a canonical, copy/paste JSON schema** for where URL patterns live in the policy JSON (i.e., the exact property name/path used in exported server policies vs. local policy templates). The “Raw Policy Template Format” shows a generic `Filters: [ { UserCheck..., MachineCheck..., ApplicationCheck... } ]` structure, but doesn’t include an explicit URL example.Administrators
So, the examples below are **representative** and align with the documented behavior (PolicyType + URL patterns + optional user/machine/application targeting). You’ll want to adjust the **URL pattern field name** to match what your Admin Console generates in the Advanced tab.
***
## Example JSON Snippets
#### Example 1: Allow Only Specific Domains (allowlist)
```
{
"PolicyName": "HTTP Access - Allow Example Domains",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"ALLOW"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access allowed by policy.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 25,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://example.com/*",
"https://*.example.com/*",
"https://login.microsoftonline.com/*"
],
"Default": "DENY"
}
}
```
**What this intends:** allow matching URLs; deny everything else (`Default: "DENY"`).
***
#### Example 2: Block Specific Domains (denylist)
```
{
"PolicyName": "HTTP Access - Block Social Media",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"DENY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access blocked by policy.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 60,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://*.social.example/*",
"https://social.example/*",
"https://*.facebook.com/*",
"https://*.instagram.com/*",
"https://*.tiktok.com/*"
],
"MatchAction": "DENY"
}
}
```
**What this intends:** when a URL matches any pattern, deny it.
***
#### Example 3: Block a Domain Only for a Specific App (app-scoped)
```
{
"PolicyName": "HTTP Access - Block Example.com in Browser Only",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"DENY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access blocked for this application.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 55,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
},
{
"RuleName": "ApplicationCheck",
"ErrorMessage": "This application is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckFile(false)"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://example.com/*",
"https://*.example.com/*"
],
"MatchAction": "DENY",
"Notes": "Use ApplicationCheck targeting to scope enforcement to a specific browser/app."
}
}
```
In this shape, **app scoping is done via the existing `ApplicationCheck` targeting** you already use elsewhere (the HTTP match then happens via `Extension.UrlPatterns`).
***
#### Example 4: Monitor-Only HTTP Access (no block, just notify)
This is useful when you want to stage rollout: match URLs and display a notification without enforcing deny.
```
{
"PolicyName": "HTTP Access - Monitor Sensitive Domains",
"PolicyType": "HttpAccess",
"PolicyId": "REPLACE_WITH_ID",
"Status": "on",
"Actions": {
"OnSuccess": {
"Controls": [
"NOTIFY"
]
},
"OnFailure": {
"Command": ""
}
},
"NotificationMessage": "HTTP access to a monitored domain was detected.",
"NotificationRequiresAcknowledge": false,
"RiskLevel": 40,
"Operator": "And",
"Rules": [
{
"RuleName": "UserCheck",
"ErrorMessage": "This user is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckUser()"
},
{
"RuleName": "MachineCheck",
"ErrorMessage": "This Machine is not included in this policy",
"RuleExpressionType": "BuiltInAction",
"Expression": "CheckMachine()"
}
],
"UserCheck": [],
"MachineCheck": [],
"ApplicationCheck": [],
"DayCheck": [],
"DateCheck": [],
"TimeCheck": [],
"CertificationCheck": [],
"Extension": {
"UrlPatterns": [
"https://*.bank.example/*",
"https://*.payroll.example/*"
],
"MatchAction": "NOTIFY"
}
}
```
### Frequent Quick “drop-in” Edits
* `PolicyId`: keep the ID generated by the UI.
* `Status`: `"on"` or `"off"` depending on rollout.
* `UserCheck`, `MachineCheck`, `ApplicationCheck`: fill these arrays using the same targeting entries your console normally writes.
* `Extension.UrlPatterns`: your allow/deny patterns.
### Validation tips
* Test with an explicit URL first, then widen with wildcards.
* Remember query strings are stripped during normalization, so patterns should usually avoid query parameters.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/http-access-policy-type.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.