Glossary
BusinessProxy terms in plain language
Definitions for the terms used across this site, kept consistent with how the product actually works.
- Managed Browser Access
- The product category: controlled, policy-governed web access for teams delivered through a browser extension — no OS-level agent and no device VPN.
- Browser extension
- The required client. The current beta is a Chrome/Chromium extension that configures browser proxy settings and answers proxy-auth challenges. It does not read or modify page content.
- Browser-proxy path (Layer 1)
- Browser traffic routed through the managed proxy by the extension. HTTPS content is not decrypted; filtering is by domain, category and policy only.
- Private App Access
- The feature that publishes an internal web app through an HTTPS alias and a customer-run connector. Sold as a beta, sales-assisted capability.
- Alias path (Layer 2)
- The Private App Access reverse proxy. It is Layer 7 and relays the full HTTP request and response (method, path, query, headers and bodies) in transit. Bodies are not logged or retained.
- L7 / Layer 7
- The application (HTTP) layer. An L7 reverse proxy sees method, path, headers and bodies — unlike the Layer-1 browser path, which does not decrypt HTTPS content.
- Connector
- A small process you run inside your own network. It dials out to BusinessProxy over TLS, holds a tunnel, resolves the real internal upstream privately and relays requests. No inbound ports.
- Upstream
- The real internal web app the connector forwards requests to. Its hostname and IP never leave your network.
- Alias host
- The external HTTPS hostname users open instead of the internal address.
- Tunnel
- The persistent outbound connection from the connector to the gateway over which alias requests are multiplexed. If it is down, access fails closed.
- Workspace
- The tenant boundary for users, devices, policy, sessions and audit. Policy is set per workspace.
- Roles
- Workspace membership roles: member, admin and billing. The workspace creator is the owner. SSO/SAML and SCIM are Enterprise/contact-only.
- Routing policy
- Backend-issued policy that tells the extension whether to use proxy_all or work_only.
- proxy_all
- Routing mode where all browser traffic goes through the proxy except bypass entries (current Chrome/Chromium implementation uses fixed_servers).
- work_only
- Routing mode where only approved work domains use the proxy and everything else goes direct (current Chrome/Chromium implementation uses a PAC script).
- PAC
- Proxy Auto-Configuration: a script the browser uses to decide per request whether to proxy or go direct.
- Bypass list
- Domains or hosts that always go direct, never through the proxy.
- Egress
- The point and region where proxied traffic exits BusinessProxy to the public internet; you choose the region (US in MVP).
- Proxy session credentials
- Random, short-lived per-session secrets (about a 2-minute TTL) that the extension auto-rotates. They are stored server-side only as a one-way keyed digest, never as reusable plaintext, and are separate from your account password.
- Keyed digest
- A server-side one-way HMAC-style value used to validate the random proxy session secrets. It is not a human-password hash.
- TTL
- Time-to-live: how long a credential or session stays valid before it must be reissued (proxy credential about 2 minutes; private-app session default 60 minutes, max 480).
- Device key
- A per-device ECDSA P-256 key the extension uses to sign proxy-session requests.
- Heartbeat
- A periodic liveness signal from the extension or connector; it drives session renewal and connector readiness.
- Category list
- The versioned local category feed used for domain and category decisions. It ships as a local baseline today; an external threat-intelligence feed is planned, not enabled.
- Quota
- Per-plan traffic and usage limits enforced on sessions.
- SASE
- Secure Access Service Edge — large cloud platforms that combine networking and security. BusinessProxy is intentionally lighter and scoped to the browser, not a SASE replacement.
- Unmanaged-device boundary
- On unmanaged devices BusinessProxy governs only the browser profile and path where the extension is installed and enabled; enforced control requires Chrome Enterprise or MDM. It is not tamper-proof endpoint control.