Pass-through policies

This week, we've introduced a new setting when creating a Policy: the ability to turn off inline responses and let the policy run in pass-through mode. By default, Policies work like firewall rules, evaluated from top to bottom, and when a policy matches, the configured inline response on the Policy is returned in the Castle Risk/Filter APIs, halting the evaluation.

When the pass-through policy is matched, all configured actions will run as normal. So by turning off the inline response, you can set up a flow that e.g. simply monitors for suspicious behaviors without affecting the user journey, which is useful before deciding to take action. When a Policy is configured in pass-through mode, the evaluation of Policies will continue until there is a match on a regular policy.