Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Protect Text Upload

  1. Last updated
  2. Save as PDF

Text Upload Protection is designed to prevent the unauthorized transmission of sensitive information through browser‑based text interactions. This capability actively monitors actions such as pasting text and dropping content into web applications. It intercepts inputs at the browser level, ensuring that sensitive data is not inadvertently or maliciously uploaded. This capability functions as a safeguard against data leakage, applying SWG policies to block or control text uploads before they reach the destination application. Because it operates within the browser, Text Upload Protection is application‑agnostic and works across a wide range of services, including cloud storage platforms, collaboration tools, messaging applications, and productivity suites.

This capability scans text before it is transmitted, closing gaps that traditional network-level inspection might miss, especially when technologies such as end-to-end encryption or WebSockets prevent the SWG from analyzing the content. In these situations, browser‑level enforcement ensures sensitive information is detected and blocked before it leaves the user’s environment.

How Does it Work?

When text is passed to a browser‑based application, whether through pasting or dropping it is intercepted and submitted to SWG for scanning against the organization’s configured Web and DLP policies.

SWG applies existing Web and DLP rules to identify sensitive data patterns and perform real‑time content inspection before the text is released to the destination application. During this inspection, SWG verifies compliance with the configured policies, including all DLP and other security rules.

If sensitive data is detected or a policy violation occurs, the text upload is blocked, and the application is prevented from receiving the content. When Agentless Notification is enabled, the user receives a message stating: The content you attempted to upload is blocked by your organization’s security policy, along with violation details. The block page is tied to the specific policy that was violated and can be customized within the appropriate ruleset.

Use Cases for Text Upload Protection in Web DLP 
Use Case 1: Prevent Confidential Text Pasted into Unsanctioned Web Chat 

A user pastes sensitive financial data into WatsApp Web chat. SWG inspects the text in real time, detects confidential information, and blocks the upload. With Agentless Notification enabled, the user sees a message explaining the violation. The incident is logged for visibility.

Use Case 2: Stop Source Code via AI Tools  

An employee drags and drops internal source code into Copilot Web. SWG applies DLP policies to detect restricted code content. The action is blocked, preventing exposure of internal resources. The user is notified, and the violation is logged for review.

Enable Text Upload Protection for Browser

Follow the steps below to enable Text Upload Protection:

  1. Navigate to Policy > Web Policy > Policy.
  2. On the Web Policy page, under the Policy Ruleset tree, select the Browser Control ruleset.
  3. Click the three‑dot menu to open the Add New Ruleset drop-down list.  
  4. Select From Library

    Image 1.png
     
  5. In the Browser Control Rulesets list, check the Text Upload Protection box.

NOTE: It is recommended to use Agentless Notification in conjunction with Text Upload Protection, allowing users to be notified when actions are blocked. 

  1. Click the Add button to include the ruleset.

    Image 2.png
     
  2. Navigate to Web > Policy > Web Policy > Policy Ruleset > Browser Control > Text Upload Protection.
  3. On the Text Upload Protection page, locate the Text Upload Protection rule.

NOTE: Scope the rule to specific sites or groups of sites where protection is required. Blocking text submission to every site may reduce usability.

  1. Toggle the On/Off button to enable the rule:

    Image 3.png
     
  2. Review the settings on the page.and then select the yellow badge to save and publish the policy changes. 

Text Upload Protection occurs when a text is uploaded to the browser through pasting to a text box or dropping text in the browser. If a text violates any configured policy rules, the browser will be blocked from accessing the text.

  • If Agentless Notification is enabled, a block notification displays to inform the user.
  • If Agentless Notification is disabled, no pop-up displays, but the action is silently blocked in the background.


In both cases, the activity is recorded in the Audit Logs and a DLP Incident will be raised if a DLP ruleset triggers a block action.

Configure Text Upload Protection Settings 

The Text Upload Protection Settings include a key component: Preset Rules 

Preset Rules. You can Select Action under Preset Rules. This capability actively monitors multiple browser interactions, including pasting text, dragging text, and dropping URLs.

Select Action
  • Block All:
    Follow the steps below to block all paste and drag options, regardless of content or size. 
    1. Select Block All to block all rules.
    2. Click the three‑dot menu next to the Block All action and select Select Block Setting:

      Image 4.png

      The Select End User Notification pane displays.
    3. Select the required notification from the list.
    4. Click the Save button to apply the changes:

clipboard_ed4a4354393257363cb524c1afe1f79c1.png

  • Pre‑scan: Select this option to have SWG inspect the text being pasted or dragged and block the action if policy detects sensitive content. The text is scanned against the normal SWG policy.  
    Pre-scan consists of following options:
    • Set a scan size limit
    • Select a pre‑scan action when scan size exceeds the limit
  • The default action is Block.
  • The default scan size limit is 1 MB.

    Scanning larger amounts of text can reduce performance, increase processing time, and disrupt normal browsing. To help maintain a smooth user experience, by default the feature scans up to 1 MB of text at a time.
     

The Set scan size limit consists of the following options when the limit is exceeded:

  • Block – Recommended for large sections of text, since pasting this much text in one action is unusual and can disrupt the application experience.
  • Allow – Permits the download even if the text size exceeds the limit:

Image 7.png

 

Detect Pre-scan Requests in SWG policy

The pre-scan request uses a standardized URL format: https://xxxxxx/Skyhigh/pppppp/aaaaaa. Where xxxxxx represents the domain of the currently loaded page in the browser; pppppp is the SWG policy name which enabled the drag or paste inspection, and aaaaa will be either drop.text or paste.text depending on the action the user is taking.

This URL is logged in DLP incidents and audit logs for visibility and tracking.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.