You can use the API request security function to upload a custom API rule file to ensure only requests that comply with the rules are executed. This protects your website assets from threats such as tampering and replay attacks.
Typically, API access requests that have inconsistent request paths or contain parameter values out of the valid range are identified as invalid.
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- On the API Request Security page, click Import.
- In the dialog box that appears, select the API rule file to be uploaded and click
After the API rule file is imported, the file content is automatically parsed and displayed in the rule list on the API Request Security page.Note The file has the following restrictions:
- The file size does not exceed 128 KB.
- The file must be in the Swagger 2.0-compliant XML or JSON format.
- View the status of API security rules.
After the file is imported, the status of the API rule is Enabled and the protection status is Warn by default. In this case, WAF generates an alert if an invalid request is detected. You can view the alert information on the API Request Security tab on the Security report page.
- Modify the status.
In the rule list, you can turn on or off the switch in the Status column to enable or disable the API rule. If you disable the API rule (Disabled), WAF no longer detects requests of this API or generates alerts.
- Modify the protection status.
In the Protection Status column, you can click either Warn or Block. If you click Block, WAF blocks all invalid access requests to this API.
- View API information.
In the Operation column, click Details to view WAF API information, including URL, request method, parameters, parameter values, description, and whether the parameters are required.