The data leakage prevention function allows Web Application Firewall (WAF) to comply with China’s Cyber Security Law that stipulates that “network operators should take technical measures and other necessary measures to guarantee the security of personal information they collect and prevent information leaks, damages, and loss. In the event of, or possible occurrence of, any personal information leaks, damages, or loss, the network operators involved shall immediately take remedial measures, notify users in a timely manner, and report the case to competent authorities in accordance with the provisions.”

Function description

The data leakage prevention function provides desensitization and warning measures for sensitive information leaks on websites (especially mobile phone numbers, ID card numbers, and credit card information) and the leakage of sensitive keywords. It also allows you to block specified HTTP status codes.

You must upgrade WAF to the Business or Enterprise edition to use this function. For more information, see Renewal and upgrade.

Common information leak situations faced by websites include:
  • Unauthorized access to a URL, such as unauthorized access to the website management background.
  • Excessive permission access vulnerabilities, such as horizontal excessive permission access vulnerabilities and vertical excessive permission access vulnerabilities.
  • Sensitive information crawled by malicious crawlers on webpages.
The data leakage prevention function can do the following tasks for you:
  • Detects and identifies private and sensitive data generated on the webpage and offers protection measures, such as early warnings and the shielding of sensitive information, to avoid website operation data leaks. This sensitive and private data includes, but is not limited to, ID card numbers, mobile phone numbers, and bank card numbers.
  • Supports one-click blocking of sensitive server information that may expose the web application software, operating systems, and versions used by the website to avoid leaks of sensitive server information.
  • Using a built-in illegal and sensitive keyword library, the function provides warnings, illegal keyword shielding, and other protective measures to deal with illegal and sensitive keywords that appear on webpages.

How it works

The data leakage prevention function detects if response pages have ID card numbers, mobile phone numbers, bank card numbers, and other types of sensitive information. If it discovers a sensitive information match, it sends a warning or filters the sensitive information based on the action configured for the matching rule. When sensitive information is filtered, the sensitive portion of the information is replaced by asterisks (*) to protect it.

The data leakage prevention function supports Content-Types including text/*, image/*, and application/* and covers web terminals, app terminals, and API interfaces.

Procedure

Follow these steps to enable and configure Data Leakage Prevention:
Note Make sure that you have added your domain to the WAF protection list before proceeding with the following operations. For more information, see CNAME access guide.
  1. Log on to the Web Application Firewall console.
  2. Go to the Management > Website Configuration page, and select the region of your WAF instance (Mainland China or International).
  3. Select the domain to be configured, and click Policies.
  4. Enable the Data Leak Prevention function and click Settings.

  5. Click Add Rule to add a sensitive information protection rule.
    Note In the Add Rule dialog box, you can click and to add more URL matching conditions.
    • Sensitive information masking: For webpages that may display mobile phone numbers, ID card numbers, and other sensitive information, configure the relevant rules to mask this information or provide warnings. For example, you can set the following protection rule to protect mobile phone numbers and ID card numbers by data masking.

      After setting this protection rule, mobile phone and ID card numbers displayed on all webpages in this website are automatically desensitized.

      Note When a webpage has business contact phone numbers, support hotline numbers, and other mobile phone numbers that are to be provided to the public, these may also be filtered out by the configured mobile phone number sensitive information filtering rule.
    • Status code blocking: You can set rules to block or warn of specific HTTP request status codes to avoid leaking sensitive server information. For example, you can set the following protection rule to block HTTP 404 status codes.

      After setting this protection rule, when users request a page that does not exist under this website, the specified page is returned.

    • Filter sensitive information of specified URLs: For specified webpage URLs that may display mobile phone numbers, ID card numbers, and other sensitive information, configure the relevant rules to filter this information or provide warnings. For example, you can set the following protection rule to filter ID card numbers on the webpage admin.php.

      After setting this protection rule, ID card numbers are desensitized on the admin.php webpage.

  6. For an added rule, you can also Edit or Delete it.

After enabling the Data Leak Prevention function, you can log on to the Web Application Firewall console, and go to the Reports > Attack Protection page to view protection reports. This report allows you to query logs of access requests filtered out or blocked by data leakage prevention rules.