Web application protection provides different levels of protection policies, including
loose, normal, and strict, to prevent common Web application attacks such as SQL injection
and XSS attacks.
Background information
After you add your domain to the WAF protection list, you can enable Web application
protection for this domain, and select a protection policy. This feature takes effect
immediately after you enable it. You can disable it at any time.
Before you perform the following operations, make sure that you have added the domain
to WAF for protection. For more information, see Use WAF CNAME to add domains for protection.
Procedure
- Log on to the WAF console.
- In the left-side navigation pane, choose . On the Website Configuration page, select the region of your WAF instance. The options
include Mainland China and International.
- In the domain list, find the domain to be configured, and click Policies in the Operation column.
- Enable Web Application Protection, and select a mode.
Note You can disable this feature on this page.
- Prevention mode: detects and blocks attacks.
- Detection mode: detects attacks and generates alerts.
- In the Policy drop-down list, select a protection policy.
- By default, the Normal policy is selected.
- In the normal policy mode, if many normal requests are blocked or many uncontrollable
user inputs are detected, such as rich text editors and technology forums, we recommend
that you use the Loose policy.
- If you require stricter protection against path traversal, SQL injections, and command
execution attacks, we recommend that you use the Strict policy.
- Click Settings on the right of Decoding Settings. In the Decoding Settings dialog box, select the data formats to be decoded and analyzed by the Web application
protection feature. If this feature often blocks normal requests with data of a specific
format, open the Decoding Settings dialog box, clear the check box of this format, and click OK.
Note To ensure high performance, the feature decodes and analyzes the request data of all
formats by default. You cannot clear URL decoding, JavaScript Unicode decoding, hex
decoding, comment processing, or space compression.
