You can use the API security function to upload a custom API rule file to ensure only requests that comply with the rules are executed. This protects your website assets from threats such as tampering and replay attacks.
- A WAF instance is purchased. The instance must meet the following requirements:
- The instance is billed on a subscription basis.
- If the instance is deployed in mainland China, the instance must be of the Business or higher edition.
- If the instance is deployed outside mainland China, the instance must be of the Enterprise or higher edition.
For more information, see Purchase a WAF instance.
- Your website is added to the WAF console. For more information, see Add domain names.
Typically, API access requests that have inconsistent request paths or contain parameter values out of the valid range are identified as invalid.
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- On the API Request Security page, click Switch Domain Name and switch to the domain name that you want to protect.
- Click Import.
- In the dialog box that appears, select the API rule file to be uploaded and click
Open.Note The file has the following restrictions:
After the API rule file is imported, the file content is automatically parsed and displayed in the rule list on the API Request Security page.On the API Request Security page, you can:
- The file size does not exceed 128 KB.
- The file must be in the Swagger 2.0-compliant XML or JSON format.
Swagger is a specification used to describe API definitions. It is widely used to define and describe APIs for backend services. For more information about Swagger extensions, see Import Swagger files to create APIs.
- View the status of API security rules.
After the file is imported, the status of the API security rule is Enabled and the protection status is Warn. In this case, WAF generates an alert if an invalid request is detected. You can view the alert information on the API Request Security tab on the Security report page.
- Modify the status.
In the rule list, you can turn on or off the switch in the Status column to enable or disable the API rule. If you disable the API security rule (Disabled), WAF no longer detects requests of this API or generates alerts.
- Modify the protection status.
In the Protection Status column, you can click either Warn or Block. If you click Block, WAF blocks all invalid access requests to this API.
- View API information.
In the Operation column, click Details to view the API information. The information includes the URL, request method, parameters, parameter values, description, and whether the parameters are required.