[Yandex Cloud documentation](../../index.md) > [Yandex Smart Web Security](../index.md) > Concepts > Overview

# Yandex Smart Web Security overview

Smart Web Security protects your infrastructure against cybersecurity threats at OSI application layer (L7). These may include DDoS attacks, bots, and SQL injections. In addition, you can enable DDoS protection at L3 and L4 using [Yandex DDoS Protection](../../vpc/ddos-protection/index.md).

Smart Web Security is a toolkit to protect infrastructures of various complexity and scale. Protection is achieved by cleaning malicious traffic from the incoming traffic flow. The traffic is checked against filtering rules in a security profile. You can additionally process the cleaned traffic with ARL profile rules to reduce the load on your application.

A security profile may include:

* Basic rules for simple traffic filtering based on specified conditions.
* Smart Protection rules for automatic protection against DDoS attacks with machine learning and behavior analysis algorithms.
* WAF profile rules for protection against web app or website vulnerability exploits. They block many known threats, such as SQL and command injections, cross-site scripting, and more. You can add multiple rule sets to a WAF profile, e.g., [OWASP CRS](https://owasp.org/www-project-modsecurity-core-rule-set/), [Yandex Ruleset](waf.md#yandex-ruleset), and [ML WAF (Yandex Malicious Score)](waf.md#yandex-ml-ruleset).
* Built-in [Yandex SmartCaptcha](../../smartcaptcha/index.md) to run [CAPTCHA](https://en.wikipedia.org/wiki/CAPTCHA) checks against bots and spam.
* IP address filtering lists to allow or block requests from specified IP addresses.

An ARL profile contains rules for limiting the number of requests to the protected resource based on various conditions.

You can connect a security profile to various types of resources:

* [Virtual host](../../application-load-balancer/concepts/http-router.md#virtual-host) or [ingress controller](../../application-load-balancer/tools/k8s-ingress-controller/index.md#smart-web-security) to protect resources that use Yandex Application Load Balancer. 
* [API Gateway](../../api-gateway/concepts/index.md) API gateway to protect the APIs of your applications.
* [Domain](domain-protect.md) to protect your website or web application hosted in Yandex Cloud, your internal infrastructure, or other platforms.

Smart Web Security allows you to create multiple security profiles and use them to consolidate various security tools.

## How it works {#how-it-works}

Smart Web Security checks the HTTP requests sent to the protected resource via the virtual host of the L7 load balancer against the [rules](rules.md) configured in the [security profile](profiles.md). Depending on the results of the check, the requests are routed to the virtual host, blocked, or sent to [Yandex SmartCaptcha](../../smartcaptcha/index.md) for additional verification.

![schema](../../_assets/smartwebsecurity/schema.svg)

To protect your web applications against external threats, Smart Web Security also implements a [web application firewall (WAF)](waf.md).

[Advanced Rate Limiter (ARL)](arl.md) helps monitor and limit your web application loads.

## Monitoring and audit {#monitoring-audit}

Smart Web Security logs are sent to [Yandex Cloud Logging](../../logging/index.md).

Smart Web Security metrics are sent to [Yandex Monitoring](../../monitoring/index.md).

Smart Web Security audit logs are sent to [Yandex Audit Trails](../../audit-trails/index.md).

{% note info %}

To enhance your security, we use HTTP request data to train our machine learning (ML) models. You can disable the use of this data in the [management console](https://console.yandex.cloud) when creating a security profile or later in its settings.

{% endnote %}

## Application Load Balancer setup recommendations {#alb-settings-recommendation}

To enhance DDoS protection of your applications, consider these additional tips:

* Configure [autoscaling](../../application-load-balancer/concepts/application-load-balancer.md#lcu-scaling). This will allow you to dynamically adapt to the increased load and optimize traffic redistribution.
* Deploy your resources across multiple [availability zones](../../overview/concepts/geo-scope.md).
* Use HTTPS for secure communication: [configure a listener](../../application-load-balancer/concepts/application-load-balancer.md#listener) to automatically redirect requests from HTTP to HTTPS.
* Ensure protection at the lower OSI model layer: [enable](../tutorials/alb-with-ddos-protection/console.md) basic DDOS protection at L3 and L4 to prevent some attacks at an earlier stage.

These measures, in addition to setting up Smart Web Security, will increase the resilience of your services to potential threats and ensure security of your applications.