After the website is deployed with Alibaba Cloud WAF, WAF helps inspect the web traffic and block common web attacks (such as SQL injections and XSS scripting) and HTTP flood attacks, based on the default protection settings. You can enable more protection functions and configure their policies according to your actual business situation.


  1. Log on to the Alibaba Cloud WAF console.
  2. On the top of the page, select the region: Mainland China, International.
  3. On the Management > Website Configuration page, select the domain name to be configured and click Policies.
  4. Enable/Disable different WAF protection functions and manage their protection rules.
    Note Different subscription plans are offered with different functions. Not all of the following functions are included in your subscription. For more information, see WAF subscription plans.
    • HTTP ACL Policy: When enabled, it lets you create web access control rules to filter web requests based on conditions such as the IP addresses that requests originate from, the requested URL, and other common HTTP request header fields. For more information, see HTTP ACL Policy.
    • Web Application Protection: Enabled by default. It protects your website against common web attacks such as SQL injections and allows you to configure the strictness of the inspection and determine whether to block malicious requests. For more information, see Web application protection.
    • HTTP Flood Protection: Enabled by default. It protects your website against HTTP flood attacks and allows you to configure the strictness of the inspection. With the Business or Enterprise subscription, you can also create rate-based rules to limit the number of requests per specified time interval. The rate-based rule can count the requests received from a specific IP address per specified time interval. If the number of requests exceeds the limit, the rule triggers the specified action. For more information, see HTTP flood protection and Custom HTTP flood protection rules.
    • New Intelligent Protection Engine: When enabled, it automatically performs semantic analysis on web requests to discover malicious attacks that exploit obfuscation or variations and are skillfully disguised or hidden. For more information, see New intelligent protection engine.
    • Malicious IP Penalty: When enabled, it automatically blocks requests originate from the IPs that start multiple attacks in a short time. For more information, see Malicious IP penalty.
    • Blocked Region: When enabled, it lets you block requests originate from a specified geolocation, which currently can be a Chinese province or non-China region. For more information, see Blocked region.
    • Data Risk Control: When enabled, it redirects suspicious users to an additional security verification page for your key business interfaces such as registration, login, activities, and forums, to prevent machine frauds. It helps you protect against zombie accounts, hacked accounts, vote cheating, and spam messages. For more information, see Data risk control.
    • Website tamper-proofing: When enabled, it lets you lock the specified web pages to prevent the original content from being tampered with. When a locked web page is requested, the server returns the cached page you specify. For more information, see Website tamper-proofing.
    • Data Leakage Prevention: When enabled, it lets you create sensitive data filtering rules to cover up the ID card number, credit card number, telephone number, and the default sensitive word of your returned web content, and to block web pages with the specified request code. For more information, see Data leakage prevention.