ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
Stack Overflow for Teams Enterprise (SOE) has a Blocklist tool that allows you to create a list of specific words or phrases that the site will watch for as users submit text. If the Blocklist tool finds a match, it will warn the user or even block them from submitting what they wrote. Blocklist can watch for personally identifiable information (PII), passwords, security keys, profanity, and more.
NOTE: SOE's Blocklist is a rarely used feature with minimal controls. We recommend you use it in limited cases, to block just a few words or phrases. If not used with care, Blocklist could keep your users from entering text anywhere on your site.
SOE's Blocklist uses regular expressions (RegEx) patterns to perform flexible, case-insensitive matches. RegEx patterns can be tricky to write, so we suggest using the many tutorials and RegEx testers available online. We'll also list some specific patterns in the RegEx patterns section at the end of this article.
NOTE: Though this feature is now called "Blocklist", the URL and other areas of the tool still reference its original name: "Blacklist".
Blocklist interface
To access the Blocklist, go to https://[your_site]/developer/data-editor/Blacklist (admin access required). Here you'll add Blocklist entries in a table format. There's no limit to the number of entries you can create.
To create a new Blocklist entry, click add.
To edit an entry, click edit.
To delete an entry, click X.
To quickly set a datetime
field to the current date and time, click set to utc now.
Blocklist fields
Each Blocklist entry has the following fields:
BlacklistType The specific area that SOE will monitor for this search pattern. Unless you have a reason to choose another type, leave Universal selected to monitor all text entry boxes.
CreationDate The date the entry was created.
RegexPattern The RegEx pattern SOE will search for when a user submits text.
DeletionDate The date SOE should delete (deactive) the entry.
SOE will also delete an entry after a long period with no matches, then store the deletion date in this field. SOE deactivates an entry and marks it as deleted if:
a new entry is more than 30 days old and never matched anything, or
an older entry with at least one prior match hasn't matched anything for 90 days.
NOTE: You can restore a deleted entry by clearing its DeletionDate and LastMatchDate fields. If the search pattern doesn't match anything for 30 days, SOE will delete it again.
LastMatchDate The last date, if any, SOE found this search pattern in a user's text entry.
MatchCount The total number of matches for this search pattern.
GuidanceText The message displayed when this search pattern is found in a user's text entry.
MatchAction Whether SOE should warn the user and allow the text submission, or warn and block the submission.
Warn and block
When Blocklist detects a prohibited string in the user's text entry, it will either warn the user or both warn and block the submission. In both cases, SOE displays the GuidanceText value.
Here's an example of the Warn MatchAction.
Here's an example of the Block MatchAction.
NOTE: Certain actions (edit, more), have an all sites checkbox. Check this box to make changes across your main Q&A area as well as any teams.
Blocklist logs
You can see Blocklist activity in the developer logs. Check the logs to make sure your Blocklist entries are matching the correct text (and nothing more).
Access the logs with these URLs:
Blocked submissions https://[your_site]/developer/logs/2
Warnings https://[your_site]/developer/logs/42
RegEx patterns
Any standard RegEx pattern will work in the Blocklist, but proceed with caution. Blocklist entries are active as soon as you submit them, so an improperly formed pattern could keep your users from submitting text anywhere on the site.
We recommend starting new Blocklist entries with MatchAction set to Warn, switching to Block only after the pattern has been tested. You may also want to use an online RegEx tester before adding any new patterns to the list.
Below are some RegEx patterns you may find useful.
Text | RegEx Pattern |
Social security number |
|
Slack token |
|
RSA private key |
|
SSH (OPENSSH) private key |
|
SSH (DSA) private key |
|
SSH (EC) private key |
|
PGP private key block |
|
Facebook Oauth |
|
Twitter Oauth |
|
GitHub |
|
Google Oauth |
|
AWS API key |
|
Heroku API key |
|
Generic secret |
|
Generic API Key |
|
Slack webhook |
|
Password in URL |
|
IPv4 address |
|