Web Application Firewall

A cloud firewall service utilizing big data capabilities to protect against web-based attacks

Buy Now Contact Sales

Web Application Firewall

WAF is a cloud firewall service that protects core website data and safeguards the security and availability of your site.

Based on powerful Big Data cloud capabilities and underlying security, WAF provides protection against web-based attacks, including SQL injections, XSS, Malicious BOT, command execution vulnerabilities, and other common web attacks.

Download Product Data Sheet

Customer Testimonials

"Web Application Firewall protects our websites from thousands of web application attacks each day, protecting our core online assets."


Stability and Speed

  • Easy Deployment: No need to install additional software or to deploy extra hardware. You can access the product and secure your website within minutes

  • Shorter Response Time: Extremely short response time (milliseconds) for user requests

  • Improved Monitoring and Service Systems: Offers 24/7 network-wide smart monitoring and scheduling based on service quality

Defense Capabilities

  • Centrally Defined Protection Rules: Nearly 1,000 protection rules, updated each day across all web applications by a dedicated defense team in order to protect from false positive rates

  • Patch Synchronization: Offers 0-day web vulnerability patches synchronized globally within 24 hours

  • Superior Defense: Comprehensive website security protection through precise access controls to provide powerful defense against web/flood attacks

Big Data Security Analysis

  • Security Protection: Protects thousands of data sensitive websites against millions of web attacks

  • Global Synchronization: Collaborative defense captures new threats and globally synchronizes protection rules

  • Big Data Learning Models: WAF utilizes a big data learning model to reduce the rate of false positives


  • Real-time Metrics of Web Requests: Monitors requests that match your filter criteria and provides real-time metrics for improved visibility of your web traffic, which you can create using new rules and alerts


  • Monthly Package: Offers monthly subscription with different package versions and feature specifications that you can select depending on your requirements

Product Details

Alibaba Cloud Web Application Firewall (WAF) is a SaaS-based web application security service which detects illegal web requests through its built-in security strategy. As a cloud firewall service WAF modifies your website’s DNS records, so that all requests through WAF are detected in order to direct safe traffic to the site server and prohibit attacks from reaching the server.

WAF also filters out large numbers of malicious access attempts and alleviates the performance impact of HTTP/HTTPS flood attacks on servers.


Immunity Against Common Web Attacks

Protection Rule Policies: Provides high, medium and low-protection rules/policies against common web attacks listed in OWASP.

Meets the needs of different website services regarding common GET and POST HTTP requests.

Defends against SQL injection, XSS, Webshell uploads, command injection, illegal HTTP protocol requests, attacks on common web server vulnerabilities, unauthorized access to core files, and path traversal.

Provides backdoor isolation protection, defense scans, and other security protection.

Website Stealth: Safeguards website address from being exposed to attackers, so that attacks cannot bypass the WAF and attack your website directly.

Regular 0-day Patch Updates: Synchronizes protection rules with Taobao (online shopping platform) and quickly provides patches latest vulnerabilities. These patches are immediately synchronized globally to defend all protected websites.

HTTP / HTTPS Flood / DDoS Attack Mitigation

Multi-layer Protection: Integrated security modules protect from common web/CC attacks. WAF creates a comprehensive, multi-layer protection mechanism to accurately distinguish between trusted and malicious traffic based on actual needs.

WAF Modes

Friendly Observation Mode: Option to enable observation mode for new website services. In this mode, WAF issues warnings for possible attacks that match the protection rules, but does not block them. This lets you collect statistics on the false positive rate of your service.

Prevention Mode: Actively blocks intrusions and attacks detected by its set rules. Attackers' requests are denied and their connection is terminated. This mode continues to log such attacks in the WAF logs file.

Big Data Security

Fully utilizes Alibaba Cloud's advantages in big data security, threat intelligence library, and trusted access analysis models to identify malicious traffic.


Alibaba Cloud WAF is based on a monthly subscription that offers customers different packages with different feature specifications. Pricing depends on the type of package selected by the customer.

The following prices are for reference only and the final price will depend on the selected package.

Choose your plan


Price Calculation Method: Cost of Package Version + Domain Extension Fee + Bandwidth Extension Fee

Subscription Package:


A) Different prices for different versions apply

B) If domain or bandwidth specification required by the customer exceeds the specification of the package version, an additional extension fee is applied


1. Data Leakage Prevention

A technology company providing search engine and related services including a social media website platform, wishes to protect against data breaches over the network. Additionally, users want to secure its user account information from unauthorized users.

Alibaba Cloud WAF offers robust protection against web attacks with a complete set of signatures for web vulnerabilities. It can detect unauthorized file uploads and enforce access control policies to prevent attackers from accessing data without proper authorization.

WAF protects websites against malicious attacks to prevent core data leakage. In addition, the product supports HTTPS encryption for online businesses in various industries including finance, health care and e-commerce.

Protection Scene

  • WAF intercepts SQL injection, XSS, and other high-risk web attacks.

  • You can open the malicious IP penalty mode, prohibiting IPs of unauthorized users that frequently attack your website.

  • You can select the strict mode in order to increase the defense strength.

2. HTTP Flood Attack Mitigation

A financial institution needs to defend against large-scale volumetric DDoS and data breach attacks to maintain 100 percent availability of its web properties, including new account sales, transactions, customer service portals, mobile sites, and product and service information. Additionally, users want to protect personal and corporate information while seeing an improvement to the page load performance and responsive performance.

WAF mitigates common HTTP flood attacks and losses for businesses like online electronic business, financial, Internet services, etc.

Protection Scene

  • Effectively mitigates all common HTTP flood and malicious attacks.

  • For HTTP Flood protection, in addition to the normal protection mode, when your website is under attack, WAF allows you to switch to emergency mode in order to decrease server performance pressure.

  • Custom rule protection with precision access control for variant attacks with distinct characteristics.

3. Custom security protection for web-based applications

A social media company requiring an enterprise-level custom security policy to protect against big data hacking, user-identity theft, and user-agent protection. Alibaba Cloud WAF offers user-agent rule configuration and protects against DDoS, brute-force attacks and personal information hacks. WAF combines different security solutions through access control customization rules. It configures corresponding security policies by analyzing abnormal content, such as user-agents, URLs, and referrers. It also provides protection against WordPress pingback attacks and offers website management background logon and chain protection.

General Architecture Diagram from all the above scenarios:

Getting Started

Access Alibaba Cloud WAF with the Management Console

Use Alibaba Cloud WAF through the Management Console

The Alibaba Cloud Management Console provides a simple web-based user interface that allows you to access and configure web application firewalls. From the console, you can configure the domain name, port, certificate, private key, view security reports and attack details, and the security status of the current website.

Refer to the Web Application Firewall Quick Start Guide for step-by-step instructions on how to configure WAF through the management console.

To understand how Alibaba Cloud WAF operates, refer to the WAF User Guide


1. What is WAF?

Alibaba Cloud Web Application Firewall (WAF) is a web application security service that protects web applications from attacks by configuring rules that allow, block, or monitor (count) requests based on defined conditions. These conditions include IP addresses, HTTP headers, HTTP bodies, URI strings, SQL injections, and XSS.

2. Can I use WAF to protect websites not hosted on Alibaba Cloud?

Yes, WAF can be integrated with a CDN, which can support customers not hosted on Alibaba Cloud.

3. What kind of businesses can WAF serve?

The product can serve E-Commerce, O2O, financial services, online education, medical, government, and other business websites for normalized security protection.

4. How can I obtain the real source IP using WAF?

The web application firewall places the real client IP behind the X-Forwarded-For field in the HTTP header. The IP behind the XFF field configured on the source server is the client's real IP.

5. Can WAF be used in combination with CDN or Anti-DDoS?

Yes, the best deployment architecture is: CDN or Anti-DDoS -> Web Application Firewall (intermediate, application layer protection) -> Web server.

6. How does WAF protect my website or application?

WAF is tightly integrated with Alibaba Cloud CDN, which is commonly used to deliver content for websites and applications. As CDN receives requests for your website/s, it forwards them to WAF for inspection against the rules defined. Once a request meets a condition as per the defined rules, WAF instructs the CDN to either block or allow the request based on the action you define. WAF stops blocked requests before they reach your web servers.

7. What types of attacks can Alibaba Cloud WAF prevent?

WAF helps protect your website from common attack techniques such as SQL injections, HTTP FLOOD attacks, and Cross-Site Scripting (XSS). You can also create rules that block attacks from specific user-agents, bad bots, or content scrapers.