> ## Documentation Index
> Fetch the complete documentation index at: https://datum-4926dda5-docs-api-reference-demo.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# SecurityPolicy

> SecurityPolicy allows the user to configure various security settings for a Gateway.

<Note>
  API resource reference for **SecurityPolicy**, an [Envoy Gateway](/api/networking/envoy/overview) extension resource. To create or change one, see [Changing resources](/datumctl/resources/changing); to inspect, see [Reading resources](/datumctl/resources/reading).
</Note>

<Warning>
  This resource is part of the `v1alpha1` API (an Envoy Gateway extension) and is subject to change. Fields and behavior may change in future releases.
</Warning>

## Identity

|         |                         |
| ------- | ----------------------- |
| Group   | `gateway.envoyproxy.io` |
| Version | `v1alpha1`              |
| Kind    | `SecurityPolicy`        |
| Scope   | Project                 |

## Overview

A `SecurityPolicy` applies security controls to a Gateway or to a route served by it. It is an Envoy Gateway extension to the Gateway API standard, defined by the [Envoy Gateway API](https://gateway.envoyproxy.io/docs/api/extension_types/), attached to a target resource through a policy reference rather than being embedded in the Gateway itself.

Use it when you want to enforce authentication, authorization, or browser access rules on traffic entering your Project — for example requiring JWT or OIDC login, checking API keys or HTTP Basic credentials, delegating to an external authorization service, or configuring Cross-Origin Resource Sharing (CORS). A single policy attaches to one or more Gateways (or specific listeners/routes) and must live in the same Project as the resources it targets.

## Spec fields

Each of the security features below is optional; set the ones you want to enforce. `targetRefs` selects what the policy applies to.

| Field                           | Type      | Required | Description                                                                                                                                   |
| ------------------------------- | --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| `spec.targetRefs`               | \[]Object | No       | The Gateway resources this policy attaches to. Attach by direct reference.                                                                    |
| `spec.targetRefs[].group`       | string    | Yes      | Group of the target resource.                                                                                                                 |
| `spec.targetRefs[].kind`        | string    | Yes      | Kind of the target resource.                                                                                                                  |
| `spec.targetRefs[].name`        | string    | Yes      | Name of the target resource.                                                                                                                  |
| `spec.targetRefs[].sectionName` | string    | No       | A section within the target: a Gateway listener name, an HTTPRoute rule name, or a Service port name. When unset, targets the whole resource. |
| `spec.targetSelectors`          | \[]Object | No       | Attach to resources by label instead of by name (`kind` required; `group`, `matchLabels`, `matchExpressions` optional).                       |
| `spec.targetRef`                | Object    | No       | Deprecated single-target reference. Use `targetRefs`/`targetSelectors` instead.                                                               |
| `spec.jwt`                      | Object    | No       | JSON Web Token authentication. Requires `providers`; set `optional` to allow missing (but not invalid) tokens.                                |
| `spec.oidc`                     | Object    | No       | OpenID Connect authentication. Requires a client secret; supply `clientID` (or `clientIDRef`) and optional cookie settings.                   |
| `spec.apiKeyAuth`               | Object    | No       | API key authentication.                                                                                                                       |
| `spec.basicAuth`                | Object    | No       | HTTP Basic authentication.                                                                                                                    |
| `spec.extAuth`                  | Object    | No       | Delegate authorization to an external service.                                                                                                |
| `spec.authorization`            | Object    | No       | Ordered allow/deny rules; `defaultAction` (`Allow` or `Deny`) applies when no rule matches (defaults to `Deny`).                              |
| `spec.cors`                     | Object    | No       | Cross-Origin Resource Sharing settings (`allowOrigins`, `allowMethods`, `allowHeaders`, `exposeHeaders`, `allowCredentials`, `maxAge`).       |

## Status fields (read-only)

| Field              | Type      | Description                                                                                                                                                                          |
| ------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `status.ancestors` | \[]Object | The ancestor resources (usually Gateways) this policy is associated with, and the policy's status against each. Up to 16 entries; an empty list means the policy applies to nothing. |

## Usage

```yaml theme={null}
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: require-cors
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  cors:
    allowOrigins:
      - "https://app.example.com"
    allowMethods:
      - GET
      - POST
    allowHeaders:
      - "*"
    allowCredentials: true
    maxAge: 1h
```

```bash theme={null}
datumctl apply -f securitypolicy.yaml --project my-project
datumctl get securitypolicies --project my-project
datumctl describe securitypolicy require-cors --project my-project
```

<Tip>
  Run `datumctl explain securitypolicies --recursive` to see the full, live field tree for this resource.
</Tip>
