Web Application Firewall:Best practices for website protection

Usage notes

All the descriptions in this topic are based on the fact that you have enabled the recommended website protection features. If you have not enabled such features, enable and configure them based on the feature descriptions.

Unless otherwise specified, the recommended website protection features are configured on the Website Protection page. Perform the following operations to go to the Website Protection page:

1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
2. In the left-side navigation pane, choose Protection Settings > Website Protection.
3. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist.

Overview

This topic provides the recommended website protection features based on roles and business requirements. You can decide which features to enable based on your business requirements.

• I am new to WAF. I am unsure of my security needs
• I am an O&M engineer. I require reliable services and convenient troubleshooting
• I am a security engineer. I need to comprehensively prevent web intrusion
• I want to achieve the strongest protection and radically block attacks
• My website is often crawled and is at risk of data breach or tampering

I am new to WAF. I am unsure of my security needs

You may have purchased a WAF instance based on a need for classified protection or the intention to improve the security level of your enterprise. In either case, you can add your website configurations to WAF and then use the default protection settings of WAF. The default protection settings are sufficient to protect your website from the majority of basic web threats.

I am an O&M engineer. I require reliable services and convenient troubleshooting

We recommend that you enable the following website protection features after you add your website configurations to WAF:

• Website Whitelisting: You can configure a whitelist to allow requests that meet the specific conditions without the need to perform a check.
  Operations: On the Website Protection page, click Website Whitelisting in the upper-right corner. On the Website Whitelisting page, create a whitelist. For more information, see Configure a website whitelist.
  To implement more precise protection, you can also configure a whitelist for a specific protection module. For more information, see the following topics:

  • Whitelist for Web Intrusion Prevention: Trusted access requests are not detected by RegEx Protection Engine.
  • Whitelist for Data Security: Trusted access requests are not detected by Data Leakage Prevention, Website Tamper-proofing, or Account Security.
  • Whitelist for Bot Management: Trusted access requests are not detected by Bot Threat Intelligence, Data Risk Control, Intelligent Algorithm, or App Protection.
  • Whitelist for Access Control/Throttling: Trusted access requests are not detected by HTTP Flood Protection, IP Blacklist, Scan Protection, or Custom Protection Policy.
• IP Blacklist: This feature allows you to configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business and from IP addresses in specific regions. For example, if a local government forum is accessed only by local IP addresses, you can add IP addresses from other regions to a regional blacklist. If your website does not have users outside China, you can add all the regions outside China to a regional blacklist.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the IP Blacklist card and configure the required parameters. For more information, see Configure a blacklist.

• Custom Protection Policy: This feature allows you to customize access control lists (ACLs) or throttling policies. For example, you can allow access to an API only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

• Account Security: This feature allows you to monitor user authentication-related interfaces, such as the interfaces used for registration and logon, to detect events that may pose a threat to user credentials. These threats include credential stuffing, brute-force attacks, account registrations launched by bots, weak password sniffing, and SMS interface abuse.

  Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Account Security. In the Account Security card, click Settings and configure the required parameters. For more information, see Configure account security.

I am a security engineer. I need to comprehensively prevent web intrusion

We recommend that you enable the following website protection features after you add your website configurations to WAF:

• Decoding Settings: This feature allows you to specify a decoding method for the WAF engine based on your business coding scheme to maximize protection for your website. A proper decoding method allows the WAF engine to effectively identify traffic and achieve precise prevention. WAF uses all the 13 decoding methods by default. You can filter out unnecessary methods to avoid unnecessary parsing and false blocking.

  Operations: On the Website Protection page, click the Web Security tab. In the Web Intrusion Prevention section, find RegEx Protection Engine. In the RegEx Protection Engine card, specify Decoding Settings. For more information, see Configure the protection rules engine feature.

• Protection Rule Group: This feature allows you to select protection rules from a built-in protection rule set based on the form, framework, and middleware of your business system. You can use these rules to customize a rule group to prevent web attacks and apply the rule group to your website. We recommend that you use this feature to configure web intrusion prevention policies for your website. If you want to configure prevention policies for a single URL, we recommend that you use the Custom Protection Policy feature.
  Operations: Log on to the Web Application Firewall console and choose System Management > Protection Rule Group. On the Protection Rule Group page, customize the rule group for web attack prevention and apply the rule group to your website. For more information, see Customize protection rule groups.
• Custom Protection Policy: This feature allows you to customize access control lists (ACLs) or throttling policies. For example, you can allow access to an API only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

• Positive Security Model (Warn mode): The positive security model is built based on the learning of the traffic in the current domain name. The model specifies the types and lengths of request parameters and whether the parameters are required. After the model is built, if a request does not match the characteristics described in the model, an alert is generated. The positive security model in Warn mode allows you to effectively detect anomalies and threats to your business. If the detected requests are useless to your business, you can enable the Block mode.

  Operations: On the Website Protection page, click the Web Security tab. In the Advanced protection section, find Positive Security Model. In the Positive Security Model card, turn on Status and set Mode to Warn. For more information, see Configure the positive security model.

• Scan Protection (Blocking IPs Initiating High-frequency Web Attacks, Directory Traversal Prevention, Scanning Tool Blocking, and Collaborative Defense): This feature helps reduce the threats generated by your scanner from multiple dimensions, such as intelligence, scanner features, and scan behavior.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, enable all functions and specify appropriate thresholds. For more information, see Configure scan protection.

I want to achieve the strongest protection and radically block attacks

We recommend that you enable the following website protection features after you add your website configurations to WAF:

• RegEx Protection Engine (Strict rule group)

  Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Web Intrusion Prevention section, find RegEx Protection Engine. In the RegEx Protection Engine card, set Protection Rule Group to Strict rule group. For more information, see Create a custom protection policy.

• Positive Security Model (Block mode): The positive security model is built based on the learning of the traffic in the current domain name. The model specifies the types and lengths of request parameters and whether the parameters are required. After the model is built, if a request does not match the characteristics described in the model, an alert is generated. To achieve the strongest protection, we recommend that you enable the Block mode.

  Operations: On the Website Protection page, click the Web Security tab. In the Advanced Protection section, find Positive Security Model. In the Positive Security Model card, turn on Status and set Mode to Block. For more information, see Configure the positive security model.

• Scan Protection (Blocking IPs Initiating High-frequency Web Attacks, Directory Traversal Prevention, Scanning Tool Blocking, and Collaborative Defense): This feature helps reduce the threats generated by your scanner from multiple dimensions, such as intelligence, scanner features, and scan behavior.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, enable all functions and specify appropriate thresholds. For more information, see Configure scan protection.

• IP Blacklist: This feature allows you to configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business and from IP addresses in specific regions. For example, if a local government forum is accessed only by local IP addresses, you can add IP addresses from other regions to a regional blacklist. If your website does not have users outside China, you can add all the regions outside China to a regional blacklist.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the IP Blacklist card and configure the required parameters. For more information, see Configure a blacklist.

My website is often crawled and is at risk of data breach or tampering

We recommend that you enable the following website protection features after you add your website configurations to WAF:

• Data Risk Control: This feature is best suited for defending against bot traffic that is generated by scripts or automated tools and destined for specific APIs for logon, registration, and order placing.
  Note Data risk control depends on JavaScript plug-ins and is applicable only to web pages. Do not use this feature in applications. If you are not sure whether this feature is suitable for your API, submit a ticket or contact the technical support by using DingTalk.

  Operations: On the Website Protection page, click the Bot Management tab. In the Data Risk Control card, configure the required parameters. For more information, see Configure data risk control.

• Data Leakage Prevention: This feature allows you to filter sensitive information in the returned content, such as abnormal pages and keywords, from the server. The sensitive information includes ID numbers, bank card numbers, telephone numbers, and sensitive words.

  Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Data Leakage Prevention. In the Data Leakage Prevention card, configure the required parameters. For more information, see Configure data leakage prevention.

• Website Tamper-proofing: This feature allows you to lock specified web pages to avoid content tampering. When a locked web page receives a request, a cached page you have preconfigured is returned.

  Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Website Tamper-proofing. In the Website Tamper-proofing card, configure the required parameters. For more information, see Configure the website tamper-proofing feature.

• Custom Protection Policy: You can enable JavaScript verification for frequently crawled static web pages at one click to block most scripts and automated programs. You can also use fine-grained frequency control to enable slider verification for sessions from which access requests are initiated at an abnormally high frequency.

  Operations: On the Website Protection page, click the Access Control/Throttling tab. Find the Custom Protection Policy card and configure the required parameters. For more information, see Create a custom protection policy.

• Account Security: This feature allows you to monitor user authentication-related interfaces, such as the interfaces used for registration and logon, to detect events that may pose a threat to user credentials. These threats include credential stuffing, brute-force attacks, account registrations launched by bots, weak password sniffing, and SMS interface abuse.

  Operations: On the Website Protection page, click the Web Security tab. In the Data Security section, find Account Security. In the Account Security card, click Settings and configure the required parameters. For more information, see Configure account security.

• Allowed Crawlers: This feature maintains a whitelist of authorized search engines, such as Google, Bing, Baidu, Sogou and Yandex. The crawlers of these search engines are allowed to access the specified domain names.

  Operations: On the Website Protection page, click the Bot Management tab. In the Allowed Crawlers card, configure the required parameters. For more information, see Configure the allowed crawlers function.

• Bot Threat Intelligence: This feature provides information about suspicious IP addresses used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents crawlers from accessing your website or specific directories.

  Operations: On the Website Protection page, click the Bot Management tab. In the Bot Threat Intelligence card, configure the required parameters. For more information, see Configure bot threat intelligence rules.

• App Protection: This feature provides secure connections and anti-bot protection for native apps and can identify proxies, emulators, and requests with invalid signatures.

  Operations: On the Website Protection page, click the Bot Management tab. In the App Protection card, configure the required parameters. For more information, see Configure application protection.