Alibaba Cloud WAF protects your web resources against common Web application attacks, such as SQL injection and XSS cross-site attack. You can select a suitable inspection intensity, which includes loose, normal, and strict, to meet your actual needs.

Background information

Once you have added your domain to the WAF protection list, you can enable Web application protection for it, and select a suitable protection policy at any time based on your actual needs. If you don't want to use the Web application protection function, you can disable it.

Make sure that you have added your domain to the WAF protection list before proceeding with the following operations. For more information, see WAF deployment guide.


  1. Log on to the Alibaba Cloud WAF console.
  2. Go to the Management > Website Configuration page, and select the region of your WAF instance (Mainland China or International).
  3. Select the domain to be configured, and click Policies.
  4. Enable Web Application Protection, and select the Mode.
    Note If you don't want to use this function, you can disable it on this page.

    • Protection: Blocks the request when an attack is detected.
    • Warning: Alerts you when an attack is detected. You determine whether to block the request or not.
  5. In the Mode of protection policy drop down box, select a protection policy:
    • By default, the Normal mode is selected.
    • Enable the Loose mode when you find many false positives or uncontrollable user inputs (for example, rich text editor and technology forum) with the Normal mode.
    • Enable the Strict mode when you require stricter protection against path traversal, SQL injection, and command running attacks.