# Update a security policy

Type of document: How-to guide
Product: NGINX Instance Manager
> Update an existing F5 WAF for NGINX policy using the F5 NGINX Instance Manager web interface or REST API.

---


You can update an existing F5 WAF for NGINX security policy using either the F5 NGINX Instance Manager web interface or the REST API.

---

#### Web interface

To update a policy in the web interface:

1. Log in to NGINX Instance Manager.
1. From the Launchpad, select **NGINX Instance Manager**.
1. In the left menu, select **WAF > Policies**.
1. On the **Security Policies** page, select **Edit** from the **Actions** column for the policy you want to update.
1. The policy editor opens. Change the policy as described in [Create a security policy](/nim/waf-integration/policies-and-logs/policies/create-policy.md).
1. After making your changes, select **Save**.

**Note:** Editing a policy creates a new revision, whether or not you've deployed it.

#### API

To update a policy using the REST API, use `POST` with `isNewRevision=true`. Both the `POST` and `PUT` methods create a new policy revision. However, `PUT` is deprecated — use `POST` instead.

| Method | Endpoint |
|--------|-----------|
| POST | `/api/platform/v1/security/policies?isNewRevision=true` |
| PUT (deprecated) | `/api/platform/v1/security/policies/{policy_uid}` |

**Example using POST (creates a new policy revision):**

```shell
curl -X POST https://<NIM_FQDN>/api/platform/v1/security/policies?isNewRevision=true \
  -H "Authorization: Bearer <access token>" \
  -H "Content-Type: application/json" \
  -d @update-xss-policy.json
```

**Example using PUT (creates a new policy revision, deprecated):**

**Note:** The `PUT` method is deprecated. Use `POST` with `isNewRevision=true` instead.

1. Get the policy UID:

   ```shell
   curl -X GET https://<NIM_FQDN>/api/platform/v1/security/policies \
     -H "Authorization: Bearer <access token>"
   ```

1. Include the UID in your `PUT` request:

   ```shell
   curl -X PUT https://<NIM_FQDN>/api/platform/v1/security/policies/{policy-uid} \
     -H "Authorization: Bearer <access token>" \
     -H "Content-Type: application/json" \
     -d @update-xss-policy.json
   ```

After updating the policy, you can [publish it](/nim/waf-integration/policies-and-logs/publish/publish-to-instances.md) to selected instances or instance groups.


