After you add a website to Web Application Firewall (WAF), HTTP flood protection targeting web pages is enabled by default. HTTP flood protection terminates connections to block HTTP flood attacks. You can adjust the protection policies of HTTP flood protection as needed.

Notice This topic uses the new version of the WAF console released in January 2020. If the WAF instance was created before January 2020, see HTTP flood protection.


  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Access Control/Throttling tab, and find HTTP Flood Protection in the Access Control/Throttling module to set the following parameters.HTTP flood protection
    Parameter Description
    Status Enable or disable HTTP flood protection.
    Mode Specify the protection mode. Supported modes:
    • Prevention: This mode only blocks suspicious requests and maintains a low false positive rate. We recommend that you apply this mode when no abnormal traffic is detected on the website to avoid false positives.
    • Protection-emergency: This mode blocks a large number of requests and maintains a high false positive rate. You can apply this mode if the Protection mode fails to block HTTP flood attacks or if the website responds slowly and indicators such as traffic, CPU, and memory are abnormal.
      Note You can only use the Protection-emergency mode to protect web pages and HTML5 pages. This mode is not suitable for APIs or native applications because a large number of false positives may occur. We recommend that you create custom protection policies for API or Native App scenarios. For more information, see Create a custom protection policy.

Related operations

  • If the Protection-emergency mode causes a high false negative rate, we recommend that you check whether the attacks come from WAF back-to-origin IP addresses. If attacks are directly launched on the origin server, you can change the settings to only allow requests from WAF back-to-origin IP addresses. For more information, see Configure protection for your origin server.
  • If you need to reinforce protection and maintain a low false positive rate, you can create multiple custom protection policies. For more information, see Create a custom protection policy.