# Setup Web User Response Pages

open-appsec protects web servers from attacks when set to **Prevent** mode. It is possible to determine the response returned to the client who initiated the blocked traffic. The response can be a simple HTTP error code, an HTTP redirect message, or a Block page that a user can view in their browser.

## Setup a Web User Response Object

#### Step 1: Go to Behaviors and create a new Web User Response

If no behavior objects were configured yet you will see the following screen:

![](/files/OFjohEIaeafk6BCMctDE)

Alternatively the following screen with a "New" button at the top is shown:

![](/files/5pDkkDydPGDuQ8RgqQ0d)

#### Step 2: Select the type of the Web User Response and fill the form

Create a unique name for your Web User Response object and select a Type.

There are 3 types of Web User Response objects:

{% tabs %}
{% tab title="Block Page" %}
This option is not a recommended option for CloudGuard AppSec protecting Web API assets as it is designed to be seen by human users.

![](/files/bwOBwFB16nVK2l3nnpNX)

* **Message title:** The title of the web page to be shown to the user sending the malicious traffic
* **Message body:** The Body of the message to be shown to the user.
* **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code.

{% hint style="info" %}
Different browsers behave differently upon receiving different error codes.
{% endhint %}

{% hint style="info" %}
Using the Response code 444 will in fact reset the connection and the Message title and body will not be seen by the user.
{% endhint %}
{% endtab %}

{% tab title="Redirect" %}
![](/files/gwA5M1IExoLpkyz1IrF9)

* **Redirect URL:** the client will be redirected to the provided URL where you can provide any customized web page.
* **Add X-Event-Id to header**: When selected the redirect message will include this header with a value that provides an internal reference ID that will match a security log generated by the incident, if log triggers are configured.
  {% endtab %}

{% tab title="Response Code Only" %}
This option is recommended for open-appsec protecting Web API assets.

![](/files/ybtdBkXkoqLPiJfugNoe)

* **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code.

  <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Different clients may behave differently upon receiving different error codes.</p></div>

{% endtab %}
{% endtabs %}

## Configure your AppSec practice to use the new Web User Response

#### Step 1: Select the assets you wish to use this Web User Response upon event detection

Go to **Assets** and edit the asset you wish to modify.

Select the **Web Attacks** tab and scroll to the bottom.

<figure><img src="/files/HcU7Ndvp3tTubf0iihYp" alt=""><figcaption></figcaption></figure>

#### Step 2: Select the Web User Response object

Once selected, you will see the object shown as part of the AppSec Security Practice configuration:

<div align="left"><img src="/files/RDkw5FsTo5LazcnNSuLV" alt=""></div>

#### Step 3: Enforce Policy

Policy is enforced after clicking Enforce above the top banner of the portal.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.openappsec.io/setup-instructions/setup-web-user-response-pages.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.