[Yandex Cloud documentation](../index.md) > [Yandex Smart Web Security](index.md) > Release notes

# Yandex Smart Web Security release notes

## Q1 2026 {#q1-2026}

* Added [response page templates](concepts/response-templates.md), i.e., customizable pages Smart Web Security returns to the client if the request is blocked. With a template, you can set page response code, format (HTML, JSON, XML), and content. You can assign a template to a security profile, ARL profile, or specific rule.

* Added support for [fingerprints](concepts/botes.md#fingerprint), i.e., JA3 and JA4 SSL/TLS connection IDs. You can use fingerprints in traffic filtering to block malicious bots and reduce false positives.

* Released a new version of [Yandex Ruleset 0.1.1](concepts/waf.md#version-0-1-1). This version includes 129 rules, 34 of which are new rules targeting critical CVEs in widely used technologies. Expanded coverage for LFI, RCE, and SQLi attacks; reduced the false positive rate.

* All resources that can be protected by Smart Web Security have been added to the security profile page. This allows you to attach the profile to a [virtual host, domain, or API gateway](operations/host-connect.md) in the same place.

## Q4 2025 {#q4-2025}

* For an ARL profile, added new [available actions](concepts/arl.md#over-limit-actions) when exceeding the request limit:
  
  * Block requests for a fixed period of time, from one second to 24 hours. Use this action for enhanced protection against bots, scrapers, brute-force attacks, or spam, when you need to prioritize reliability over availability. For example, it is a good fit for login pages or message submission forms. This action requires request grouping.
  
  * Send requests exceeding the limit to [SmartCaptcha](../smartcaptcha/index.md). You can configure CAPTCHA through the security profile associated with the ARL profile. This action helps differentiate legitimate users from bots.

* Added tools for [bot traffic management](concepts/botes.md) and malicious bot detection:

  * List of verified bot categories based on their purpose or nature of action (AcademicResearchBot, AISearchBot).
  * Up-to-date lists of legitimate bots used by various services and companies (e.g., Yandex, Googlebot, or Bing).
  * Specific attribute to distinguish a verified bot.
  * Configurable bot score thresholds from 0 to 100 for rule customization.

  For bot management, use traffic [conditions](concepts/conditions.md) in [security profile](concepts/profiles.md) (basic, Smart Protection, or WAF) and [ARL profile](concepts/arl.md) rules.

  Check [SWS logs](concepts/logging.md) for traffic filtering results and bot scores.

* Supported filtering by [ASN](https://wikipedia.org/wiki/Autonomous_system_(Internet)) in traffic [conditions](concepts/conditions.md). This feature will help you restrict or allow traffic from specific internet providers.

## Q3 2025 {#q3-2025}

* Added new [rule sets](concepts/waf.md#rules-set) to the WAF profile: ML WAL, Yandex Ruleset, and [OWASP CRS 4.8.0](https://owasp.org/www-project-modsecurity-core-rule-set/).

    * ML WAF (Yandex Malicious Score) leverages ML algorithms to detect and block attacks that evade the signature-based method. Its rules automatically adjust to new attack tactics. We recommend using this rule set as an addition to the OWASP or Yandex Ruleset.

    * Yandex Ruleset was developed based on real-world experience of protecting Yandex services. It includes rules to detect known attack patterns (signatures), such as code injections (SQLi, XSS), CVE vulnerabilities, and remote code execution. The rule set is continuously updated to protect against new threats as they emerge.

    Yandex rule sets are at the [Preview](../overview/concepts/launch-stages.md) stage.

* Implemented [advanced logging](concepts/logging.md) via Smart Web Security with more flexible log collection [settings](operations/configure-logging.md). Previously, logs were written via Application Load Balancer and contained less information about rules and requests that triggered them.

    Logging via SWS is at the [Preview](../overview/concepts/launch-stages.md) stage. To view logs in the SWS interface, send a request to [support](https://center.yandex.cloud/support).

* You can now [deactivate](operations/host-connect.md#host) the use of a Smart Web Security security profile to check traffic on a specific virtual host route. This can be of use when, on some routes, requests come from trusted sources and need not be analyzed.

  The `disable-security-profile` parameter was added to Application Load Balancer route management commands.

  This feature is available through the [Yandex Cloud CLI](../application-load-balancer/cli-ref/index.md), [Terraform](../application-load-balancer/tf-ref.md), and [API](../application-load-balancer/api-ref/authentication.md).

## Q2 2025 {#q2-2025}

* Added a new functionality: [domains](concepts/domain-protect.md) for protection of websites and web applications hosted in Yandex Cloud or other platforms that do not use the L7 Application Load Balancer.
  
    In addition to protection, we provide a proxy server with load balancing, request analysis and routing, and basic [DDoS protection](../vpc/ddos-protection/index.md).

    The domain protection functionality is at the [Preview](../overview/concepts/launch-stages.md) stage.

* Added [subscription billing](pricing.md) allowing you to predict information security costs and optimize resource spending.

## January 2025 {#jan-2025}

Smart Web Security was certified for compliance with [152-FZ, GOST R 57580, and PCI DSS](https://yandex.cloud/ru/security/standards).

## Q4 2024 {#q4-2024}

* Added the [IP blacklist and whitelist](concepts/lists.md) feature to manage the traffic and create security rules based on IP reputation analysis. You can use the preset Yandex Cloud blacklists and whitelists or create your own.
* Added the [calculator](pricing.md) for quicker service cost calculations.
* Improved low-rate DoS analysis and blocking algorithms.
* Optimized the error code page size.
* Smart Web Security successfully passed an external audit for 152-FZ, GOST R 57580, and PCI DSS compliance.

## Q3 2024 {#q3-2024}

* Web Application Firewall (WAF) and Advanced Rate Limiter (ARL) entered the [General Availability](../overview/concepts/launch-stages.md) stage.
* Changes in the pricing: 
  * You only pay for [legitimate](concepts/rules.md#rule-action) requests.
  * Profiles and rules are not billable.
* Under basic rules, you can now send requests to [Yandex SmartCaptcha](../smartcaptcha/index.md).
* Implemented sending [data events](at-ref.md#data-plane-events) to Yandex Audit Trails: `ArlMatchedRequest`, `WafMatchedExclusionRule`, and `WafMatchedRule`.
* API, CLI, and Terraform are now supported.
* For traffic conditions that use regular expressions, you can now use case-sensitive string search. For more information, see [Regular expression format](concepts/conditions.md#regular-expressions).

## Q2 2024 {#q2-2024}

* Implemented [Web Application Firewall (WAF)](concepts/waf.md) to protect web applications against external threats, such as SQL injections, cross-site scripting, and other vulnerabilities. WAF analyzes and filters HTTP requests blocking potentially malicious data.

    This feature is available at the [Preview](../overview/concepts/launch-stages.md) stage.

* Implemented [Advanced Rate Limiter (ARL)](concepts/arl.md) to manage web app loads. ARL allows you to set a limit on the number of requests over a certain period of time. This prevents overload and ensures stable operation of the application.

    This feature is available at the [Preview](../overview/concepts/launch-stages.md) stage.

## Q1 2024 {#q1-2024}

* The service has entered the [General Availability](../overview/concepts/launch-stages.md) stage.
* Added the [Yandex SmartCaptcha](../smartcaptcha/index.md) custom CAPTCHA option.
* Added the [limit](concepts/limits.md#limits) for the maximum number of requests per second (RPS) in total for all load balancer virtual hosts connected to the same security profile.
* Added logs of a security profile connected to a virtual host to the [Yandex Application Load Balancer](../application-load-balancer/index.md) log list.
* Implemented sending management event [audit logs](at-ref.md) in [Yandex Audit Trails](../audit-trails/index.md).

## Q4 2023 {#q4-2023}

* Now you can create security profiles from a preset template.
* Implemented sending [metrics](metrics.md) to [Yandex Monitoring](../monitoring/index.md).
* Fixed the error of matching a string in the `Host` [condition](concepts/conditions.md) when creating a security rule.
* Improved the stability by implementing a new pattern for [Application Load Balancer](../application-load-balancer/index.md) and Smart Web Security interaction.

## Q3 2023 {#q3-2023}

* The service is available at the [Preview](../overview/concepts/launch-stages.md) stage.