# Setup Web User Response Pages open-appsec protects web servers from attacks when set to **Prevent** mode. It is possible to determine the response returned to the client who initiated the blocked traffic. The response can be a simple HTTP error code, an HTTP redirect message, or a Block page that a user can view in their browser. ## Setup a Web User Response Object #### Step 1: Go to Behaviors and create a new Web User Response If no behavior objects were configured yet you will see the following screen: ![](https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2F1E9fXQHAxeQsfrnQGkZg%2Fopenappsec-behaviors-no-behaviors.PNG?alt=media\&token=9fe4e738-9c04-4cf7-8409-dd2a828ce68f) Alternatively the following screen with a "New" button at the top is shown: ![](https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2FLXhoCLbxNEZ0CCfSydyl%2Fopenappsec-behaviors-view.PNG?alt=media\&token=eb1a6048-53d2-4ae0-ab03-45da3c967f9b) #### Step 2: Select the type of the Web User Response and fill the form Create a unique name for your Web User Response object and select a Type. There are 3 types of Web User Response objects: {% tabs %} {% tab title="Block Page" %} This option is not a recommended option for CloudGuard AppSec protecting Web API assets as it is designed to be seen by human users. ![](https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2F0flFIdX5DokgNzensPi7%2Fopenappsec-behaviors-edit-block-page.PNG?alt=media\&token=1dc7d983-a026-47f7-92e2-8cb1778bff3e) * **Message title:** The title of the web page to be shown to the user sending the malicious traffic * **Message body:** The Body of the message to be shown to the user. * **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code. {% hint style="info" %} Different browsers behave differently upon receiving different error codes. {% endhint %} {% hint style="info" %} Using the Response code 444 will in fact reset the connection and the Message title and body will not be seen by the user. {% endhint %} {% endtab %} {% tab title="Redirect" %} ![](https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2F0rX5WwomQfcGlxVfZdtr%2Fopenappsec-behaviors-edit-redirect.PNG?alt=media\&token=43d54d6b-c1c7-40c1-b935-3c6278c5022d) * **Redirect URL:** the client will be redirected to the provided URL where you can provide any customized web page. * **Add X-Event-Id to header**: When selected the redirect message will include this header with a value that provides an internal reference ID that will match a security log generated by the incident, if log triggers are configured. {% endtab %} {% tab title="Response Code Only" %} This option is recommended for open-appsec protecting Web API assets. ![](https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2FTVvJ3mtNvLNPvabkADSL%2Fopenappsec-behaviors-edit-response-code-only.PNG?alt=media\&token=a7de65d5-0402-46af-a94f-e14a3118dd17) * **HTTP Response Code:** It is recommended to use a 403 (Forbidden) as a response code.

Different clients may behave differently upon receiving different error codes.

{% endtab %} {% endtabs %} ## Configure your AppSec practice to use the new Web User Response #### Step 1: Select the assets you wish to use this Web User Response upon event detection Go to **Assets** and edit the asset you wish to modify. Select the **Web Attacks** tab and scroll to the bottom.

#### Step 2: Select the Web User Response object Once selected, you will see the object shown as part of the AppSec Security Practice configuration:

#### Step 3: Enforce Policy Policy is enforced after clicking Enforce above the top banner of the portal.