# Update a security policy


> Update an existing F5 WAF for NGINX policy using the F5 NGINX Instance Manager web interface or REST API.


You can update an existing F5 WAF for NGINX security policy using either the F5 NGINX Instance Manager web interface or the REST API.

---

#### Web interface

To update a policy in the web interface:

1. Log in to NGINX Instance Manager.
1. From the Launchpad, select **NGINX Instance Manager**.
1. In the left menu, select **WAF > Policies**.
1. On the **Security Policies** page, select **Edit** from the **Actions** column for the policy you want to update.
1. The policy editor opens. Change the policy as described in [Create a security policy](/nim/waf-integration/policies-and-logs/policies/create-policy.md).
1. After making your changes, select **Save**.

**Note:** Editing a policy creates a new revision, whether or not you've deployed it.

#### API

To update a policy using the REST API, use `POST` with `isNewRevision=true`. Both the `POST` and `PUT` methods create a new policy revision. However, `PUT` is deprecated — use `POST` instead.

| Method | Endpoint |
|--------|-----------|
| POST | `/api/platform/v1/security/policies?isNewRevision=true` |
| PUT (deprecated) | `/api/platform/v1/security/policies/{policy_uid}` |

**Example using POST (creates a new policy revision):**

```shell
curl -X POST https://<NIM_FQDN>/api/platform/v1/security/policies?isNewRevision=true \
  -H "Authorization: Bearer <access token>" \
  -H "Content-Type: application/json" \
  -d @update-xss-policy.json
```

**Example using PUT (creates a new policy revision, deprecated):**

**Note:** The `PUT` method is deprecated. Use `POST` with `isNewRevision=true` instead.

1. Get the policy UID:

   ```shell
   curl -X GET https://<NIM_FQDN>/api/platform/v1/security/policies \
     -H "Authorization: Bearer <access token>"
   ```

1. Include the UID in your `PUT` request:

   ```shell
   curl -X PUT https://<NIM_FQDN>/api/platform/v1/security/policies/{policy-uid} \
     -H "Authorization: Bearer <access token>" \
     -H "Content-Type: application/json" \
     -d @update-xss-policy.json
   ```

After updating the policy, you can [publish it](/nim/waf-integration/policies-and-logs/publish/publish-to-instances.md) to selected instances or instance groups.