Malicious Sites policy
Your first line of defense. Malicious Sites checks every outbound URL against multiple threat-intelligence feeds and flags any link pointing to known malware, phishing, scams, or compromised domains, in real time, as your visitors hit those pages.
, enable this policy first, before anything else.
enable →What it does
The Malicious Sites policy continuously matches every link on your site against comprehensive databases of known malicious domains. When any match fires, you get a critical alert with the source page, the target URL, and the threat category.
Why it matters
A malicious link in a footnote you published five years ago still carries your domain's reputation. If a reader clicks through from your site and gets phished, your brand is the one named in the post-mortem. This policy is the lowest-effort, highest-leverage way to prevent that.
Configuration
There's no config file to edit. Every policy is configured from its card in the dashboard, under Policies. Toggle it on, set the severity, choose which threat feeds to consult, and pick where alerts are routed. Severity defaults to CRITICAL; lower it to HIGH if you want the policy to fire without paging an on-call.
Changes save instantly and apply from the next scan. No deploy, no config file, no restart.
Severity levels
What you'll see
A fired incident includes the offending URL, the page it was found on, the threat feed that flagged it, the timestamp of the first sighting, and the suggested response. Incidents land in the dashboard at /dashboard/violations and (per your routing) in Slack, email, or webhook.
Best practices
- Leave the default
CRITICALseverity in place. False positives on a curated threat feed are vanishingly rare. - Route Malicious Sites to a paging channel. The half-life of a malicious link is hours, not days.
- Use Custom Blocklist to add internal deny rules on top of the public feeds — your competitor's tracking subdomain, a recurring spammer, anything specific to your operation.