Skip to main content
All CollectionsEnterpriseTechnical Setup
Configure the Blocklist
Configure the Blocklist

How to configure the Stack Overflow for Teams Blocklist to warn or block users when they enter restricted words or phrases.

Joel Bradley avatar
Written by Joel Bradley
Updated over a week ago
PDF VERSION

Tags | Security | Content | Blocklist |

Applies to: Enterprise

ADMIN PRIVILEGES REQUIRED

This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.

Overview

Stack Overflow for Teams Enterprise (SOE) has a Blocklist tool that allows you to create a list of specific words or phrases that the site will watch for as users submit text. If the Blocklist tool finds a match, it will warn the user or even block them from submitting what they wrote. Blocklist can watch for personally identifiable information (PII), passwords, security keys, profanity, and more.

NOTE: SOE's Blocklist is a rarely used feature with minimal controls. We recommend you use it in limited cases, to block just a few words or phrases. If not used with care, Blocklist could keep your users from entering text anywhere on your site.

SOE's Blocklist uses regular expressions (RegEx) patterns to perform flexible, case-insensitive matches. RegEx patterns can be tricky to write, so we suggest using the many tutorials and RegEx testers available online. We'll also list some specific patterns in the RegEx patterns section at the end of this article.

NOTE: Though this feature is now called "Blocklist", the URL and other areas of the tool still reference its original name: "Blacklist".

Blocklist interface

To access the Blocklist, go to https://[your_site]/developer/data-editor/Blacklist (admin access required). Here you'll add Blocklist entries in a table format. There's no limit to the number of entries you can create.

To create a new Blocklist entry, click add.
To edit an entry, click edit.
To delete an entry, click X.

To quickly set a datetime field to the current date and time, click set to utc now.

Blocklist fields

Each Blocklist entry has the following fields:

  • BlacklistType The specific area that SOE will monitor for this search pattern. Unless you have a reason to choose another type, leave Universal selected to monitor all text entry boxes.

  • CreationDate The date the entry was created.

  • RegexPattern The RegEx pattern SOE will search for when a user submits text.

  • DeletionDate The date SOE should delete (deactive) the entry.

    SOE will also delete an entry after a long period with no matches, then store the deletion date in this field. SOE deactivates an entry and marks it as deleted if:

    • a new entry is more than 30 days old and never matched anything, or

    • an older entry with at least one prior match hasn't matched anything for 90 days.

    NOTE: You can restore a deleted entry by clearing its DeletionDate and LastMatchDate fields. If the search pattern doesn't match anything for 30 days, SOE will delete it again.

  • LastMatchDate The last date, if any, SOE found this search pattern in a user's text entry.

  • MatchCount The total number of matches for this search pattern.

  • GuidanceText The message displayed when this search pattern is found in a user's text entry.

  • MatchAction Whether SOE should warn the user and allow the text submission, or warn and block the submission.

Warn and block

When Blocklist detects a prohibited string in the user's text entry, it will either warn the user or both warn and block the submission. In both cases, SOE displays the GuidanceText value.

Here's an example of the Warn MatchAction.

Here's an example of the Block MatchAction.

NOTE: Certain actions (edit, more), have an all sites checkbox. Check this box to make changes across your main Q&A area as well as any teams.

Blocklist logs

You can see Blocklist activity in the developer logs. Check the logs to make sure your Blocklist entries are matching the correct text (and nothing more).

Access the logs with these URLs:

  • Blocked submissions https://[your_site]/developer/logs/2

  • Warnings https://[your_site]/developer/logs/42

RegEx patterns

Any standard RegEx pattern will work in the Blocklist, but proceed with caution. Blocklist entries are active as soon as you submit them, so an improperly formed pattern could keep your users from submitting text anywhere on the site.

We recommend starting new Blocklist entries with MatchAction set to Warn, switching to Block only after the pattern has been tested. You may also want to use an online RegEx tester before adding any new patterns to the list.

Below are some RegEx patterns you may find useful.

Text

RegEx Pattern

Social security number

(?!(000|666|9))\d{3}-(?!00)\d{2}-(?!0000)\d{4}

Slack token

(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})

RSA private key

-----BEGIN RSA PRIVATE KEY-----

SSH (OPENSSH) private key

-----BEGIN OPENSSH PRIVATE KEY-----

SSH (DSA) private key

-----BEGIN DSA PRIVATE KEY-----

SSH (EC) private key

-----BEGIN EC PRIVATE KEY-----

PGP private key block

-----BEGIN PGP PRIVATE KEY BLOCK-----

Facebook Oauth

[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\\\s][0-9a-f]{32}['\\\s]

Twitter Oauth

[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\\\s][0-9a-zA-Z]{35,44}['\\\s]

GitHub

[g|G][i|I][t|T][h|H][u|U][b|B].{0,30}['\\\s][0-9a-zA-Z]{35,40}['\\\s]

Google Oauth

(\client_secret\:\[a-zA-Z0-9-_]{24}\)

AWS API key

AKIA[0-9A-Z]{16}

Heroku API key

[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}

Generic secret

[s|S][e|E][c|C][r|R][e|E][t|T].{0,30}['\\\s][0-9a-zA-Z]{32,45}['\\\s]

Generic API Key

[a|A][p|P][i|I][_]?[k|K][e|E][y|Y].{0,30}['\\\s][0-9a-zA-Z]{32,45}['\\\s]

Slack webhook

hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}

Password in URL

[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\'\\s]

IPv4 address

\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

Did this answer your question?