After you set up Web Application Firewall (WAF) for a website, you can enable the tamper-proofing feature to protect the website from website defacement. Tamper-proofing helps you lock specific web pages, such as those that contain sensitive information. When a locked web page is requested, the page cached in WAF is returned. This prevents web pages from being maliciously modified. You can customize tamper-proofing rules as needed.

Notice This topic uses the new version of the WAF console released in January 2020. If your WAF instance was created before January 2020, see Website tamper-proofing.


  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Web Security tab and find Website Tamper-proofing in the Data Security section. Turn on the Status switch and click Settings.Website tamper-proofing
    Note You must enable tamper-proofing before you can create protection rules.
  6. Create a tamper-proofing rule.
    1. On the Website Tamper-proofing page, click Add Rule.
    2. In the Add Rule dialog box that appears, specify the Service Name and URL of the web page that you need to protect.
      • Service Name: Specify the name of the service that the web page provides.
      • URL: Enter the exact path. Wildcard characters such as /*, or parameters such as /abc? xxx= are not supported. Text data, HTML pages, and images under the specified path are protected.
      Create a rule
    3. Click Confirm.
    After a tamper-proofing rule is created, it is disabled by default. You can find the newly created rule in the rule list, and the Protection Status of the rule is disabled.Protection status-disabled
  7. Enable the rule. Find the target rule in the rule list, and turn on the Protection Status switch.Protection status-enabled
    After a rule is enabled, if the specified web page is requested, the page cached in WAF is returned.
  8. Optional:Update cached data. Find the target rule enabled in the rule list, and click Refresh Cache in the Protection Status column.
    Notice If the protected web page is updated, you must click Refresh Cache to update the data cached in WAF. If you do not update the cached data after a page is updated, WAF returns the most recent page stored in the cache.