All Products
Search
Document Center

Web Application Firewall:Account security best practices

Last Updated:Apr 23, 2026

WAF's account security feature helps you identify risks to user accounts. This topic provides recommendations to protect your account-related interfaces against different types of attacks and in various business scenarios.

Background

WAF supports account security detection. In addition to web attack protection, this feature identifies account security risks on business interfaces, such as registration and logon interfaces. These risks include credential stuffing, brute-force attack, spam registration, weak password sniffing, and SMS interface abuse. After configuring account security detection in WAF, you can view the detection results in security reports. For more information, see Configure account security.

CAPTCHA for web and H5

Enabling CAPTCHA for PC and H5 web pages is a simple and effective way to protect critical interfaces. Integrating a CAPTCHA service typically requires minor changes to your business code and takes one to two business days.

Basic CAPTCHA can effectively block direct API calls from simple scripts. However, as attackers evolve their methods and tools, standard CAPTCHAs are becoming easier to bypass. For stronger protection, we recommend using a professional CAPTCHA service.

SDK signature for native apps

For native apps where a CAPTCHA is unsuitable, Alibaba Cloud provides an SDK-based solution. The solution collects hardware and environment information from the mobile device and then signs and verifies requests. This process ensures that only requests from your official app are forwarded to the origin server, blocking requests from scripts, automated programs, emulators, or other unauthorized sources.

Note

You must enable the App Protection module in WAF to use the SDK solution. For more information, see App protection overview.

Multi-dimensional rate limiting

For attacks involving a high-frequency field in requests, such as an IP address, session, cookie, parameter, or header, you can use multi-dimensional rate limiting to block the attack source. For example, if an attack uses multiple proxy IPs but reuses the same logon cookie (such as a UID), you can set a rate limit based on the cookie. This shifts the protection from the IP address to the account level, which is more relevant to your business logic.

We recommend using the Rate Limiting feature in a Custom Protection Policy in WAF. The following figure shows a sample configuration. For more information, see Configure a custom protection policy.

Note

Only WAF Rate Limiting instances support using custom statistical objects for Rate Limiting, such as custom cookies, headers, and parameters, in addition to IP addresses and sessions.

cookie统计

Analyze abnormal request characteristics

You can identify most attacks by observing and analyzing the differences between malicious and legitimate requests.

  • Incomplete HTTP headers. For example, missing fields such as referer, cookie, or content-type.

  • Abnormal User-Agent values. For example, a high volume of requests to a standard website might use Java or Python User-Agent (UA) values, or requests to a WeChat Mini Program might use UAs from a desktop browser.

  • Incomplete cookies. A typical application uses multiple cookies with business-specific meanings, such as SessionID, userid, deviceid, and lastvisit. A bot may submit only the one or two cookies required to retrieve results, omitting others.

  • Abnormal parameter content. Similar to incomplete cookies, some parameters may not be necessary for a bot to retrieve results. Missing or duplicate parameters are also considered anomalies.

  • Abnormal business fields. For example, email addresses, phone numbers, or account information containing unusual or illogical keywords.

We recommend that you use the WAF Log Service to query logs. This allows you to quickly analyze request characteristics, such as top IP rankings and the proportion of a specific characteristic in the overall traffic.

Note

You must enable the Log Service module in WAF to use the log service. For more information, see Quick start for WAF log service.

Bot threat intelligence

The Bot Management module in WAF uses algorithms to maintain a dynamic threat intelligence database of malicious IP addresses involved in credential stuffing attacks across the Alibaba Cloud network. The Bot Threat Intelligence feature lets you detect these IP addresses in monitor mode or to apply actions such as blocking or slider verification. For more information, see Configure bot threat intelligence rules.

Note

You must enable the Bot Management module in WAF to use the Bot Threat Intelligence feature.

威胁情报