Allow and deny lists help you customize Content Guard Pro’s detection to reduce false positives and catch site-specific threats.
Understanding Allow/Deny Lists #
Allowlist #
Domains and patterns that should NOT trigger findings:
- Your trusted third-party services
- CDNs you use
- Analytics and tracking services
- Social media embeds
Denylist #
Domains and patterns that should ALWAYS trigger findings:
- Known malicious domains
- Competitors (for SEO monitoring)
- Previously infected domains
Default Allowlist #
Content Guard Pro includes these trusted domains by default:
Video Platforms:
- youtube.com, youtu.be
- vimeo.com
Social Media:
- twitter.com, x.com
- facebook.com
- instagram.com
- linkedin.com
- pinterest.com
- tiktok.com
Google Services:
- google.com, googleapis.com
- gstatic.com, maps.google.com
CDNs:
- cloudflare.com, cdnjs.cloudflare.com
- unpkg.com, jsdelivr.net
WordPress:
- wordpress.org, wordpress.com
- gravatar.com, w.org
Managing the Allowlist #
Adding Domains #
1. Go to Content Guard Pro → Patterns
2. Find the Allowlist section
3. Add domains (one per line)
4. Click Save Changes
Format Examples:
analytics.google.com
cdn.yoursite.com
*.trusted-cdn.com
Wildcard Support #
Use * for wildcard matching:
*.example.com– Matches any subdomaincdn-*.yoursite.com– Matches cdn-1, cdn-2, etc.
Removing Domains #
1. Go to Patterns page
2. Delete the line with the domain
3. Save changes
Note: You cannot remove default allowlist entries, but can override with denylist if needed.
Managing the Denylist #
Adding to Denylist #
1. Go to Content Guard Pro → Patterns
2. Find the Denylist section
3. Add domains or patterns (one per line)
4. Click Save Changes
Pattern Types #
Domain matching:
blocked-domain.example
spam-network.example
Regex patterns (advanced):
/pharma-spam-d+.com/i
/casino.*.net/i
Allowlist vs. Denylist Priority #
When a URL matches both lists:
1. Denylist takes priority – URL is flagged
2. This allows overriding default allowlist entries
Example:
cdn.example.comis on allowlist- You add
cdn.example.comto denylist - Result: URL is flagged as finding
Quick Allowlist from Findings #
From Finding Details #
1. View a finding that’s a false positive
2. Click Add to Allowlist
3. Domain is automatically added
4. Future scans won’t flag this domain
From Ignore Action #
1. Click Ignore on a finding
2. Optionally check Add domain to allowlist
3. Finding is ignored AND domain allowlisted
Best Practices #
What to Allowlist #
✅ Good candidates:
- Your own CDN domains
- Analytics services you use
- Legitimate embed services
- Marketing tools (HubSpot, Mailchimp)
- Payment processors
- Social media platforms
❌ Avoid allowlisting:
- URL shorteners (bit.ly, etc.)
- Unknown domains
- Domains from suspicious findings
- Anything you’re not 100% sure about
What to Denylist #
✅ Good candidates:
- Domains from confirmed attacks
- Known malware domains
- Spam domains from your industry
- Competitors (for SEO monitoring)
Regular Review #
1. Monthly: Review allowlist for still-needed entries
2. After incidents: Add confirmed malicious domains to denylist
3. When adding services: Proactively allowlist new integrations
Import/Export #
Export Lists #
1. Go to Patterns page
2. Click Export
3. Download includes both allow and deny lists
4. JSON format for easy editing
Import Lists #
1. Go to Patterns page
2. Click Import
3. Select your JSON file
4. Choose merge or replace
5. Click Import
Bulk Import Format #
{
"allowlist": [
"cdn.example.com",
"analytics.example.com"
],
"denylist": [
"blocked.example.com",
"/spam-pattern-\d+\.com/i"
]
}
Troubleshooting #
Domain Not Being Allowlisted #
1. Check exact match: www.example.com ≠ example.com
2. Use wildcard: *.example.com covers subdomains
3. Check for typos: Domain must match exactly
4. Clear cache: Pattern cache refreshes hourly
Regex Not Working #
1. Check syntax: Must be valid PHP regex
2. Include delimiters: /pattern/i
3. Escape special chars: . for literal dot
4. Test the pattern: Use regex tester
Denylist Override Not Working #
1. Clear pattern cache: Settings → Clear Pattern Cache
2. Run new scan: Changes apply to new scans
3. Check exact domain: Must match what’s in allowlist
