# Onboard custom security policies Type of document: How-to guide Product: NGINX Instance Manager > Upload and prepare your own security policy bundles for use with F5 NGINX Instance Manager. --- After verifying that F5 WAF for NGINX is active on your instances, you can onboard your own custom security policies. Use this option when you need to apply application-specific rules or integrate policies created in other environments. You’ll upload your JSON policy files, package them into `.tgz` bundles, and publish them through **F5 NGINX Instance Manager**. ## Before you begin - Make sure the policy you plan to onboard is valid JSON and follows the F5 WAF for NGINX schema. - Confirm that the NGINX Agent has permission to access the directory where you’ll store your bundles. - Review the [F5 WAF for NGINX configuration guide](/waf/policies/configuration.md) for examples of policy structure and directive usage. ## Upload and publish a custom policy #### Web interface 1. In a web browser, go to the FQDN for your NGINX Instance Manager host and log in. Then, select **Instance Manager** from the Launchpad menu. 2. In the left menu, select **Security Policies**. 3. Choose **Upload Policy**, then select your `.json` or `.tgz` policy file. 4. If you uploaded a `.json` file, **NGINX Instance Manager** automatically compiles it into a `.tgz` bundle. 5. After upload, select **Publish** to make the policy available to your instances. #### API **Note:** Use tools such as `curl` or [Postman](https://www.postman.com) to send requests to the NGINX Instance Manager REST API. The API base URL is `https:///api/[nim|platform]/`. All requests require authentication. For details on authentication methods, see the [API overview](/nim/fundamentals/api-overview.md). Use the **NGINX Instance Manager** REST API to onboard policies programmatically. | Method | Endpoint | |--------|-----------| | POST | `/api/platform/v1/security/policies` | | GET | `/api/platform/v1/security/policies` | Example — upload and publish a policy: ```shell curl -X POST https://{{NMS_FQDN}}/api/platform/v1/security/policies \ -H "Authorization: Bearer " \ --header "Content-Type: multipart/form-data" \ -F "file=@my-custom-policy.json" ``` The API response includes the policy ID. Use that ID to reference your custom policy in your NGINX configuration: ```nginx app_protect_policy_file /etc/nms/my-custom-policy.tgz; ```