Web Application Firewall (WAF) inspects incoming HTTP and HTTPS traffic and applies protection rules to block malicious requests before they reach your origin servers. This page lists all available protection features, their default state, and links to configuration guides.
Protection features
Features marked On by default are active as soon as you add a domain name. All others must be enabled manually.
Web security
| Feature | What it does | Default state |
|---|
| Protection rules engine | Blocks common web attacks based on built-in rules, including SQL injection, cross-site scripting (XSS), webshells, command injection, backdoor isolation, invalid file requests, path traversal, and exploitation of common vulnerabilities. | On by default |
| Protection rule group | Lets you combine protection rules into a custom rule group and apply it to specific websites. Custom rule groups are available for the protection rules engine only. | Must be enabled |
| Website tamper-proofing | Locks specific web pages so that WAF serves a cached copy when those pages are requested, preventing unauthorized modifications. | Must be enabled |
| Data leakage prevention | Scans server responses and masks sensitive data—such as ID card numbers, bank card numbers, phone numbers, and sensitive words—before returning masked information or default error pages to visitors. | Must be enabled |
| Positive security model | Uses machine learning to analyze normal traffic patterns for your website and automatically generates tailored security policies based on that baseline. | Must be enabled |
Bot management
| Feature | What it does | Default state |
|---|
| Allowed crawlers | Maintains a whitelist of trusted search engine crawlers—Google, Bing, Baidu, Sogou, and Yandex—and allows them to access specified domain names. | Must be enabled |
| Bot threat intelligence | Identifies suspicious IP addresses associated with dialers, on-premises data centers, and malicious scanners. Maintains a dynamic library of known malicious crawler IPs to block access to your websites or specific directories. | Must be enabled |
| Data risk control | Protects business-critical endpoints—such as registration, login, campaign, and forum pages—against fraud and abuse. | Must be enabled |
| Application protection | Provides secure connections and anti-bot protection for native applications. Detects and blocks proxies, emulators, and requests with invalid signatures. | Must be enabled |
Access control and throttling
| Feature | What it does | Default state |
|---|
| HTTP flood protection | Defends against HTTP flood attacks using configurable protection modes. | On by default |
| IP address blacklist | Blocks requests from specified IP addresses, CIDR blocks, or geographic regions. | Must be enabled |
| Scan protection | Automatically blocks source IPs that trigger multiple web attacks or targeted directory traversal attempts within a short window. Also blocks IPs from common scan tools and the Alibaba Cloud malicious IP library. | Must be enabled |
| Custom protection policies | Lets you define access control rules and rate limiting based on precise match conditions. | Must be enabled |
Protection Lab
| Feature | What it does | Default state |
|---|
| Account security | Monitors authentication endpoints—such as registration and login pages—for threats including credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS flood attacks. | Must be enabled |
Whitelists
Configure whitelists to exclude specific requests from one or more protection features.
| Feature | Scope | Default state |
|---|
| Website whitelist | Matching requests bypass all protection features and go directly to origin servers. | Must be enabled |
| Web intrusion prevention whitelist | Matching requests bypass specified web security features, such as the protection rules engine. | Must be enabled |
| Data security whitelist | Matching requests bypass website tamper-proofing, data leakage prevention, and account security. | Must be enabled |
| Bot management whitelist | Matching requests bypass bot threat intelligence, data risk control, intelligent algorithm, and application protection. | Must be enabled |
| Access control and throttling whitelist | Matching requests bypass HTTP flood protection, IP address blacklist, scan protection, and custom protection policies. | Must be enabled |
Disable WAF protection
To disable WAF protection, go to Asset Center > Website Access in the WAF 2.0 console and turn off WAF Protection.