You can use the API request security function to upload a custom API rule file to ensure only requests that comply with the rules are executed. This protects your website assets from threats such as tampering and replay attacks.


WAF Business Edition and higher support API security. Ensure that WAF Business, Enterprise, or Exclusive Edition is activated.

Background information

After you upload the API rule file, the API security function automatically parses the content of the file, and verifies access requests based on the rules. WAF either blocks API requests that do not comply with the rules or generates alerts for the requests.

Typically, API access requests that have inconsistent request paths or contain parameter values out of the valid range are identified as invalid.

Note The API security function is now under public preview and is provided free of charge.


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Lab > API Request Security.
  4. On the API Request Security page, click Import.
  5. In the dialog box that appears, select the API rule file to be uploaded and click Open.
    After the API rule file is imported, the file content is automatically parsed and displayed in the rule list on the API Request Security page.API security rules
    Note The file has the following restrictions:
    • The file size does not exceed 128 KB.
    • The file must be in the Swagger 2.0-compliant XML or JSON format.
    On the API Request Security page, you can:
    • View the status of API security rules.
      After the file is imported, the status of the API rule is Enabled and the protection status is Warn by default. In this case, WAF generates an alert if an invalid request is detected. You can view the alert information on the API Request Security tab on the Security report page.Security reports-API security
    • Modify the status.

      In the rule list, you can turn on or off the switch in the Status column to enable or disable the API rule. If you disable the API rule (Disabled), WAF no longer detects requests of this API or generates alerts.

    • Modify the protection status.

      In the Protection Status column, you can click either Warn or Block. If you click Block, WAF blocks all invalid access requests to this API.

    • View API information.

      In the Operation column, click Details to view WAF API information, including URL, request method, parameters, parameter values, description, and whether the parameters are required.