Web Application Firewall (WAF) filters malicious HTTP and HTTPS traffic before it reaches your origin servers, then forwards clean traffic through. This protects your web applications from common attacks without changes to your application code or infrastructure.
How it works
Traffic destined for your website is routed through WAF. WAF inspects each request, applies your configured protection rules, and either forwards clean requests to your origin server or blocks malicious ones. Your origin server's IP address stays hidden from attackers throughout.
Protected resource types
WAF protects websites and web applications running on:
Alibaba Cloud ECS instances — using either CNAME record mode or transparent proxy mode
Backend servers of Internet-facing Server Load Balancer (SLB) instances — using either CNAME record mode or transparent proxy mode
On-premises or other cloud servers — using CNAME record mode
Note: WAF protects resources by domain name. Add domain names to WAF — IP addresses cannot be added directly.
Features
Web application protection
WAF defends against common OWASP attack types:
SQL injection
Cross-site scripting (XSS)
Webshell uploads and backdoor attacks
Command injection
Cross-site request forgery (CSRF)
Path traversals
Unauthorized access to core files
Illegal HTTP requests and common web server vulnerabilities
Website scanning
WAF also patches zero-day vulnerabilities at the earliest opportunity, so your applications stay protected even before official vendor patches are available.
Monitoring mode: Enable monitoring mode to observe traffic on new services without blocking. WAF sends alerts when suspicious traffic matches a protection rule, but does not block it — useful when tuning rules to reduce false positives.
Precise protection
WAF's detection engine parses and decodes request data before inspecting it:
Format parsing: HTTP headers, form data, multipart, JSON, and XML
Decoding: URL encoding, JavaScript Unicode, HEX, HTML entity, Java serialization, PHP serialization, Base64, UTF-7, UTF-8, and nested encoding
Preprocessing: Space compression, comment pruning, and special character normalization
Adaptive decoding prevents attackers from bypassing WAF by encoding payloads in unusual formats.
HTTP flood protection
WAF limits request rates from specific IP addresses using CAPTCHA verification and redirect-based authentication. For slow HTTP attacks, WAF analyzes statistical signals — status code distribution, requested URL patterns, anomalous HTTP Referer headers, and User-Agent characteristics — to distinguish legitimate traffic from attacks.
Alibaba Cloud's big data security platform feeds threat intelligence and trusted-access models into WAF, enabling it to identify malicious requests across hundreds of millions of daily attacks.
Fine-grained access control
Build protection rules based on combinations of HTTP fields: IP address, URL, HTTP Referer, and User-Agent. Use these rules for scenarios such as hotlink protection and website backend access control.
Fine-grained access control layers with web security and HTTP flood protection modules to create a multi-layer architecture that distinguishes trusted from malicious traffic with high precision.
Virtual patching
Adjust WAF protection rules immediately when a new vulnerability is disclosed — before the affected software is patched. This closes the window between disclosure and patch deployment without requiring application changes.
Attack event management
Review attack events, attack traffic volumes, and attack scales through the WAF console. Use this data to tune protection rules and understand your threat landscape.
Reliability and scalability
WAF runs in cluster mode with built-in load balancing and multiple scheduling algorithms. Scale capacity by adding or removing nodes without service interruption. If a WAF node fails or undergoes maintenance, the cluster continues to handle traffic — no single point of failure (SPOF).
Benefits
10+ years of security expertise: WAF is built on more than 10 years of web security experience within the Alibaba Group, providing the same protection used by Tmall, Taobao, Alipay, and other high-traffic applications.
Proven at scale: WAF defends against hundreds of millions of attacks every day, backed by a continuously updated IP address library and big data security analytics.
Fast setup: Activate and configure WAF within 5 minutes. No software or hardware installation required — no routing configuration changes needed.
High availability: Protection clusters eliminate single points of failure and provide redundancy.
Use cases
WAF is suitable for any user — inside or outside Alibaba Cloud — running web applications that need protection. Common industries include finance, e-commerce, online-to-offline (O2O), Internet Plus, gaming, public services, and insurance.
Set up WAF
After purchasing a WAF instance, add your website's domain name using one of two modes:
CNAME record mode
Works for origin servers on Alibaba Cloud or on-premises. Change your domain's DNS record to point to WAF's CNAME address — WAF then intercepts and inspects all incoming traffic. For setup steps, see Add a domain name to WAF.
Transparent proxy mode
Available for ECS instances and backend servers of Internet-facing SLB instances. Based on cloud-native technologies, transparent proxy mode requires no DNS changes — traffic is automatically routed through WAF. For setup steps, see Transparent proxy mode.
Compliance certifications
WAF has passed the following certifications: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR certification, Cybersecurity in China Multi-level Protection Scheme (MLPS 2.0) Level III, Service Organization Control (SOC) 1, SOC 2, SOC 3, Cloud Computing Compliance Controls Catalog (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Provider's Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS).