After you add a website to Web Application Firewall (WAF), you can enable data leakage prevention for the website. Data leakage prevention filters content such as abnormal pages and keywords returned from servers, and masks sensitive information such as ID card numbers, phone numbers, bank card numbers, and sensitive words. WAF then returns the masked information or default response pages to visitors.

Notice Data leakage prevention can process only data that is in the formats specific to China. The data includes ID card numbers, phone numbers, and bank card numbers.

Prerequisites

  • A WAF instance is purchased. The instance must meet the following requirements:
    • The instance is billed on a subscription basis.
      • If the instance is deployed in mainland China, the instance must be of the Pro edition or higher.
      • If the instance is deployed outside mainland China, the instance must be of the Business edition or higher.

      For more information, see Editions and features.

    For more information, see Purchase a WAF instance.

  • Your website is added to WAF. For more information, see Add websites.

Background information

WAF supports data leakage prevention to comply with the following regulations required by the Cybersecurity Law of the People's Republic of China: Network operators shall adopt technological and other necessary measures to ensure the security of the personal information they collect, and prevent information leaks, damage or loss. If a situation of information leak, damage, or loss occurs or might occur, the network operators shall promptly take remedial measures, timely notify users, and report the matter to the authority in accordance with the regulations. Data leakage prevention masks sensitive information such as phone numbers, ID card numbers, and bank card numbers in website content and triggers alerts upon the detection of sensitive information. You can also use data leakage prevention to block responses that contain a specific HTTP status code.

Features

Information maintained by a website may be leaked in the following scenarios: unauthorized access to a URL (such as unauthorized access to the backend management system), horizontal and vertical privilege escalation, and malicious crawlers retrieving sensitive information from web pages. To prevent common sensitive information leaks, data leakage prevention provides the following capabilities:
  • Detects and identifies personal information on web pages, masks the information, and triggers alerts to protect website data. Personal information includes but is not limited to ID card numbers, phone numbers, and bank card numbers.
    Notice Data leakage prevention can process only data that is in the formats specific to China. The data includes ID card numbers, phone numbers, and bank card numbers.
  • Masks sensitive server information, including web applications used by the website, the operating system, and the version of the server.
  • Maintains a library that contains banned and sensitive keywords to detect and mask banned or sensitive website content, and trigger alerts.
How data leakage prevention works

Data leakage prevention detects whether a web page contains sensitive information, such as ID card numbers, phone numbers, or band card numbers, based on the specified protection rules. If a rule is matched, WAF triggers alerts or masks the information based on the action specified in the rule. Data leakage prevention masks sensitive information with asterisks (*).

Data leakage prevention allows you to set Content-Type to text/*, image/*, or application/* to protect web applications, native applications, and APIs.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Web Security tab and find the Anti Sensitive Information Leakage section. Then, turn on Status and click Settings.
    Note
    • You must enable data leakage prevention before you can configure protection rules.
    • After data leakage prevention is enabled, it checks all requests destined for your website. You can configure a whitelist rule for Data Security to allow requests that match the whitelist rule to bypass the check. For more information, see Configure a whitelist for Data Security.
    Data Leakage Prevention
  6. Create a data leakage prevention rule.
    1. On the Anti Sensitive Information Leakage page, click Add Rule.
    2. In the Create Rule dialog box, configure the following parameters.Create a rule
      Parameter Description
      Rule name The name of the rule that you want to create.
      The types of information that you want to detect. Valid values:
      • Status Code: You can select 400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405-499, and 505-599 from the drop-down list.
      • Sensitive Info: You can select ID Card, Credit Card, Telephone No., and Default Sensitive Word from the drop-down list.
      Notice Data leakage prevention can process only data that is in the formats specific to China. The data includes ID card numbers, phone numbers, and bank card numbers.

      You can select multiple values for both Status Code and Sensitive Info.

      If you select and, you can specify the URL that you want to check. In this case, WAF scans for sensitive information only on the specified page.

      Matching Action The action to be performed on detected sensitive information.
      • If you set the match condition to Status Code, the following actions are available:
        • Warn: triggers alerts upon the detection of sensitive information.
        • Block: blocks requests and returns the default page indicating that the requested website is blocked.
      • If you set the match condition to Sensitive Info, the following actions are available:
        • Warn: triggers alerts upon the detection of sensitive information.
        • Sensitive information filtering: masks sensitive information in responses.
      Sample configurations
      • Mask sensitive information: Web pages may contain sensitive information, such as phone numbers and ID card numbers. You can create rules to mask sensitive information or trigger alerts upon the detection of sensitive information. The following example shows how to create a rule that masks phone numbers and ID card numbers.
        • Matching conditions: ID Card and Telephone No.
        • Matching Action: Sensitive information filtering
        After this rule is applied, all phone numbers and ID card numbers on the website are masked, as shown in the following figure.
        Notice Phone numbers that must be provided to the public for business affairs, such as customer service and product hotlines, may also be masked by data leakage prevention rules.
      • Block responses that contain specific HTTP status codes: You can create a rule to block or generate alerts upon the detection of specific HTTP status codes to prevent leaks of sensitive server information. The following example shows how to create a rule that blocks responses containing the 404 HTTP status code.
        • Matching conditions: 404
        • Matching Action: Block

        After this rule is applied, if the requested page does not exist, the specified page indicating that the requested website is blocked is returned, as shown in the following figure.

      • Masks specific sensitive information on specific pages: You can create rules to mask sensitive information or generate alerts upon the detection of specific sensitive information, such as phone numbers or ID card numbers, on specific pages. The following example shows how to create a rule that masks ID card numbers on pages whose URLs contain admin.php.
        • Matching conditions: ID card numbers on pages whose URLs contain admin.php
        • Matching Action: Sensitive information filtering

        After this rule is applied, the ID card numbers on pages whose URLs contain admin.php are masked.

    3. Click Confirm.
      After a data leakage prevention rule is created, it takes effect automatically. You can view newly created rules, and modify or delete rules in the rule list based on your business requirements.

What to do next

After you enable data leakage prevention, you can view the log data of the filtered or blocked requests that triggered data leakage prevention rules. To view the log data, navigate to the Security report page and choose Web Security > Data Leakage Prevention to view the relevant security report. For more information, see View security reports.