This topic describes the best practices for Web application protection based on WAF. The following aspects are covered: scenarios, protection policies, protection effects, and rule updates.
By default, Web Application Protection is enabled and the normal mode protection is used. The parameters are as follows:
- Enabled indicates that Web Application Protection is enabled.
- Disabled indicates that Web Application Protection is disabled.
- Mode: Two modes are provided: Protection and Warning.
- The Protection mode indicates that WAF automatically blocks malicious requests and logs attacks when the application is under attack.
- The Warning mode indicates that WAF does not block malicious requests but logs attacks when the application is under attack.
- Protection Policy: Three protection policies are available when the Protection mode is selected: Loose, Normal, and Strict.
- Loose: This policy only blocks requests that display typical attack patterns.
- Normal: This policy blocks requests that display common attack patterns.
- Strict: This policy blocks crafted requests that display specific types of attack patterns.
- If you are not clear about your website's traffic patterns, we recommend that you use the Warning mode first. You can observe the traffic flow for one or two weeks and then analyze the attack log.
- If you do not find any record indicating that normal requests are blocked, you can switch to the Protection mode to enable further protection.
- If normal requests are found in the attack log, contact customer service to resolve the issue.
- If you add domains of PHPMyAdmin or tech forums to WAF, normal requests may be mistakenly blocked. We recommend that you contact customer service to resolve the issue.
- Note the following points in your operations:
- Do not use special keywords, such as UPDATE and SET, to define the path in URLs, such as
- If file uploads are required, restrict the maximum file size to 50 MB. We recommend that you use OSS or other methods to upload files exceeding the size limit.
After Web Application Protection is enabled, do not disable the All Requests option in the default rule of HTTP ACL Policy, as shown in the following figure:
When new vulnerabilities are discovered, WAF updates protection rules and releases security bulletins in a timely manner.