After you add a website to WAF, its website protection policies filter all the access requests by default. The website whitelist allows access requests that match specified conditions. These access requests are directly returned to the origin site instead of being filtered by the WAF website protection policies.

Notice This topic uses the new version of the WAF console released in January 2020. If the WAF instance was created before this date, you cannot use the website whitelist.


  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.

Background information

The WAF website protection policies include modules such as web intrusion prevention, access control and throttling, data security, advanced protection, and bot management. Access requests that match specified conditions in the whitelist skip all detection modules. The website whitelist is used to allow trusted access requests, such as access requests from trusted vulnerability scan tools and trusted authenticated third-party system endpoints.

You can also create a whitelist for each specified detection module. Access requests that match specified conditions only skip the corresponding detection module. For more information, see:
Note We recommend that you create a whitelist for a specified detection module as needed. A whitelist with more precise rules provides better security protection. A detection module whitelist provides better security protection than the website whitelist.


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click Website Whitelisting in the upper-right corner.
  6. Create a website whitelist.
    1. On the Website Whitelisting page, click Create Rule.
    2. In the Add Rule dialogue box that appears, set the following parameters.Add rules, the website whitelist
      Parameter Description
      Rule name Specify a name for the rule.
      Matching Condition Specify the match conditions of the whitelist rule. Click Add rule to add more conditions. You can specify a maximum of five conditions. If you have set multiple conditions, the rule is matched only after all of them are met.

      For more information about match conditions, see Fields of match conditions.

    3. Click Save.
    After you create rules for the website whitelist, they are automatically enabled. You can view newly created rules in the rule list and disable, edit, or delete rules as needed.The website whitelist