# Create a security policy


> Create and customize F5 WAF for NGINX security policies in F5 NGINX Instance Manager using the web interface or REST API.


You can create and manage security policies in F5 NGINX Instance Manager to control F5 WAF for NGINX behavior. When you create a policy, the interface provides guided options and presets aligned with F5 WAF for NGINX. If you’re familiar with WAF configuration, you can also customize your policy directly in JSON.

**Note:** For a full overview of how NGINX Instance Manager handles WAF policy management, compilation, and deployment, see [How WAF policy management works](/nim/waf-integration/overview.md).

---

#### Web interface

To create a security policy using the NGINX Instance Manager web interface:

1. In NGINX Instance Manager, go to **WAF > Policies**.
2. On the **Security Policies** page, select **Create**.
3. In **General Settings**, enter a name and description for the policy.
4. Choose an enforcement mode:
   - **Transparent** – Logs violations but doesn’t block requests.
   - **Blocking** – Blocks requests that match the configured policy.

   In the configuration file, this is set using the `enforcementMode` property.

5. To change character encoding, select **Show Advanced Fields**, then select an application language. The default encoding is Unicode (`utf-8`).

### Configure a policy

When you use the web interface, a default policy is created automatically. You can also select **NGINX Strict** for a stricter configuration.

### Default policy and base template

The default policy is based on the base template, which serves as a starting point for all policies.

**Example default policy:**

```json
{
  "policy": {
    "name": "app_protect_default_policy",
    "template": { "name": "POLICY_TEMPLATE_NGINX_BASE" }
  }
}
```

### Violation rating

The default policy uses the violation rating to assess risk and decide whether to block a request:

| Rating | Description |
|---------|-------------|
| 0 | No violation |
| 1–2 | False positive |
| 3 | Needs examination |
| 4–5 | Threat |

By default, most violations and signature sets have Alarm enabled but not Block. If a request’s violation rating is 4 or 5, it’s blocked by the `VIOL_RATING_THREAT` violation, even if other violations are only set to Alarm. This approach minimizes false positives while maintaining strong protection.

To block requests with a rating of 3, enable blocking for the `VIOL_RATING_NEED_EXAMINATION` violation.

### Default blocking behavior

The following violations and signature sets are considered high accuracy and are configured to block requests regardless of violation rating:

- High-accuracy attack signatures
- Threat campaigns
- Malformed requests (for example, unparsable headers, cookies, or JSON/XML bodies)

#### API

To create a security policy using the REST API, send a `POST` request to the Security Policies endpoint. The JSON policy must be encoded in `base64`. If you send plain JSON, the request fails.

| Method | Endpoint |
|--------|-----------|
| POST | `/api/platform/v1/security/policies` |

**Example:**

```shell
curl -X POST https://<NIM_FQDN>/api/platform/v1/security/policies \
  -H "Authorization: Bearer <access token>" \
  -H "Content-Type: application/json" \
  -d @ignore-xss-example.json
```

#### JSON request

```json
{
  "metadata": {
    "name": "ignore-cross-site-scripting",
    "displayName": "Ignore cross-site scripting",
    "description": "A security policy that intentionally ignores cross-site scripting."
  },
  "content": "ewoJInBvbGljeSI6IHsKCQkibmFtZSI6ICJzaW1wbGUtYmxvY2tpbmctcG9saWN5IiwKCQkic2lnbmF0dXJlcyI6IFsKCQkJewoJCQkJInNpZ25hdHVyZUlkIjogMjAwMDAxODM0LAoJCQkJImVuYWJsZWQiOiBmYWxzZQoJCQl9CgkJXSwKCQkidGVtcGxhdGUiOiB7CgkJCSJuYW1lIjogIlBPTElDWV9URU1QTEFURV9OR0lOWF9CQVNFIgoJCX0sCgkJImFwcGxpY2F0aW9uTGFuZ3VhZ2UiOiAidXRmLTgiLAoJCSJlbmZvcmNlbWVudE1vZGUiOiAiYmxvY2tpbmciCgl9Cn0="
}
```

#### JSON response

```json
{
  "metadata": {
    "created": "2022-04-10T23:19:58.502Z",
    "description": "string",
    "displayName": "Ignore cross-site scripting",
    "modified": "2022-04-12T23:19:58.502Z",
    "name": "ignore-cross-site-scripting",
    "revisionTimestamp": "2022-04-12T23:19:58.502Z",
    "uid": "<policy-uid>"
  },
  "selfLink": {
    "rel": "/api/platform/v1/services/environments/prod"
  }
}
```