# How It Works The basics of the security validation is that you define a set of rules, much like how you define a firewall. Each rule is composed of several elements: **securelist**, **whitelist**, **roles**, **permissions**, **match**, and **redirect**. However, each rule can be expanded by the developer as needed with custom elements, etc. Each rule will be evaluated in the order that it is declared and the follow validation via our flow diagram below. 1. An incoming request or internal event reaches the first rule and the type of matching is determined: event or URI matching 2. The incoming event or URI is matched against the *whitelist* element 1. If matched, then the event is whitelisted so it continues to the next rule 2. Else, continue 3. The incoming event or URI is matched against the *securelist* element 1. If not matched, then continue to next rule 2. Else, continue validation 4. Do we have a custom validator or not? 1. Yes, validate against the custom validator 2. No, validate against ColdFusion's logged in user roles or logged in credentials 5. If validation fails, redirect the user via the *redirect* element --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coldbox-security.ortusbooks.com/master-4/home.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.