From 6d836e26b7b273ada8c891332e9f15d7ad3aabaa Mon Sep 17 00:00:00 2001 From: Catherine Moresco Date: Fri, 1 Dec 2023 10:23:28 -0500 Subject: [PATCH] update README.md --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 592695be..6a975ef9 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,6 @@ Three policies are supported: A host can be specified with or without a globbing prefix. The host (without the globbing prefix) must be in Punycode to prevent ambiguity. - | host | valid | | ------------------- | ------- | | `example.com` | yes | @@ -161,7 +160,7 @@ For example, specifying `example.com` in your global_allow_list will allow traff Similarly, specifying `malicious.com` in your global_deny_list will deny traffic for that domain on a role, even if that role is set to `report` or `open`. However, if the host specifies `malicious.com` in its `allowed_domains`, traffic to `malicious.com` will be allowed on that role, regardless of policy. -> :warning: **The global_deny_list will only block specific *hostnames*, not entire *destinations*.** For example, if `malicious.com` is in the global_deny_list but the IP address that it resolves to is not, roles with an `open` policy will still be able to access the destination by using its IP address directly. For this reason, **we recommend using allowlists instead of denylists, whenever it is possible to do so.** +> :warning: **The global_deny_list will only block specific *hostnames*, not entire *destinations*.** For example, if `malicious.com` is in the global_deny_list but the IP address that it resolves to is not, roles with an `open` policy will still be able to access the destination by using its IP address directly. For this reason, **we recommend using allowlists instead of denylists** whenever it is possible to do so, and **using config options to block IP addresses** (see the `IP Filtering` section above). If a domain matches both the `global_allow_list` and the `global_deny_list`, the `global_deny_list` behavior takes priority.