All Products
Search
Document Center

Elastic Compute Service:Protect web applications with WAF and RASP

Last Updated:May 28, 2026

Deploy WAF at the network perimeter and RASP inside the application runtime for layered defense against web attacks.

Alibaba Cloud provides two layers of defense:

  • Web Application Firewall (WAF) — filters malicious traffic at the network perimeter.

  • Runtime Application Self-Protection (RASP) — detects attacks from inside the application runtime.

Deploy both together for defense in depth.

Common web application threats

Web applications that accept user input are potential targets. Attackers exploit weaknesses such as improper parameter validation and dynamic code execution.

Threat

Description

SQL injection

Malicious SQL code in input fields executes unauthorized database operations to steal, modify, or delete data.

Cross-site scripting (XSS)

Malicious scripts injected into webpages run in other users' browsers, causing session hijacking and data leaks.

Webshell uploads

Attackers exploit file upload vulnerabilities to place a webshell on the server, gaining remote control.

Command injection

OS commands injected through application inputs execute arbitrary commands on the server.

Path traversal

Manipulated file path references access files and directories outside the intended scope.

File inclusion

Local or remote file inclusion forces the application to load and execute unintended files.

Cross-site request forgery (CSRF)

Tricks authenticated users into submitting unintended requests that perform actions without their knowledge.

Defense architecture: WAF + RASP

WAF and RASP protect at different layers. Together, they cover threats that neither handles alone.

Layer

Technology

How it works

Protects against

Network perimeter (first line of defense)

WAF

Inspects HTTP/HTTPS requests and responses before they reach the application. Uses updated rules and AI-powered analysis to block known attack patterns.

SQL injection, XSS, known exploit signatures, malicious request patterns

Application runtime (second line of defense)

RASP

Embeds inside the application runtime (such as a JVM). Hooks key functions to monitor actual application behavior.

Zero-day vulnerabilities, encrypted traffic attacks, in-memory webshells, attacks that bypass network-level detection

First line of defense: WAF

WAF inspects all incoming HTTP/HTTPS traffic. Its continuously updated rules and AI-powered analysis block known attack patterns before requests reach backend servers.

Purchase a WAF edition

Select a WAF edition based on your website scale and traffic volume.

Edition

Use case

Pro

Small to medium websites with no special security requirements

Business

Internet-facing enterprise websites with high security requirements

Enterprise

Large enterprise websites with high traffic or custom security requirements

See WAF plans and editions for a detailed comparison.

Connect the website to WAF

WAF 3.0 supports three connection types.

Connection type

How it works

Best for

Setup guide

CNAME record mode

Point the domain DNS record to the WAF CNAME address. All public traffic routes through WAF before reaching the server.

Any origin server reachable over the Internet, on Alibaba Cloud, other clouds, or on-premises.

Add a website using a CNAME record

Cloud native mode

Integrates Alibaba Cloud services directly with WAF. No DNS changes required.

Alibaba Cloud services: ECS, ALB, CLB, NLB, API Gateway (APIG), Microservices Engine (MSE), Function Compute (FC), and Serverless App Engine (SAE).

Add an ECS instance

Hybrid cloud

Deploy the WAF SDK plugin on a self-built gateway such as Nginx or APISIX. Traffic is copied to a WAF cluster in bypass mode for detection without forwarding.

Hybrid cloud deployments with on-premises web servers.

--

Note: CNAME record mode works for any origin server regardless of hosting location. Cloud native mode provides the simplest setup for Alibaba Cloud services. Use hybrid cloud mode when traffic cannot be rerouted through an external WAF cluster.

Second line of defense: RASP

WAF filters traffic at the network perimeter, but some attacks evade network-level detection. Encrypted traffic, zero-day exploits, and payloads designed to bypass signature-based rules can pass through undetected.

RASP embeds directly into the application runtime -- for example, as a JVM probe -- and hooks key functions to monitor execution behavior. When a request triggers a database query, RASP analyzes the actual SQL statement, not just the network request. This runtime context makes RASP effective against threats that WAF cannot catch alone.

What RASP catches that WAF may miss

Threat

Why WAF may miss it

How RASP detects it

Zero-day vulnerabilities

No matching signature in the rule library.

Monitors runtime behavior for anomalous function calls regardless of the exploit used.

Encrypted traffic attacks

Cannot inspect end-to-end encrypted payloads.

Operates after decryption, seeing the actual data processed.

In-memory webshells

No file written to disk, so file-based detection fails.

Hooks memory operations and function calls to detect malicious code in memory.

Deserialization attacks

Malicious payloads in serialized objects may not match WAF signatures.

Monitors deserialization functions and blocks execution of unexpected code.

Deploy RASP

Enable RASP through Security Center application protection. RASP deploys as a probe or module in the application runtime. See Connect to application protection.

WAF and RASP comparison

WAF

RASP

Protection layer

Network perimeter

Application runtime

Detection method

Rule-based and AI-powered inspection of HTTP/HTTPS traffic

Runtime behavior monitoring via function hooking

Deployment

External to the application (DNS change, cloud native integration, or SDK plugin)

Embedded in the application runtime (JVM probe)

Strength

Blocks known attack patterns before they reach the application

Catches zero-day exploits, encrypted traffic attacks, and in-memory threats

Limitation

Cannot detect attacks that bypass signature matching or hide in encrypted traffic

Only protects the application it is embedded in

Setup

WAF plans and editions

Connect to application protection

Deploy WAF to filter known attacks at the network perimeter, and add RASP to catch threats that evade network-level detection. Together, they provide layered protection from the network edge to the application runtime.