If this is your first time to add a domain name to Web Application Firewall (WAF), we recommend that you familiarize yourself with website protection. This topic describes how to select protection modules of WAF and configure protection policies for the modules, from the perspective of different roles, to meet business requirements in different scenarios. You can understand the protection logic of WAF.
Prerequisites
A website is added to WAF. For more information, see Add a domain name.
Before you begin
All the descriptions in this topic are based on the fact that you have enabled the recommended website protection features. If you have not enabled the features, enable and configure them based on the feature descriptions.
Unless otherwise specified, you can configure the recommended website protection features on the Website Protection page. To go to the Website Protection page, perform the following steps:
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the upper part of the Website Protection page, select the domain name for which you want to configure protection from the Switch Domain Name drop-down list.
Overview
This topic provides the recommended website protection features based on roles and business requirements. You can decide which features to enable based on your business requirements.
I am new to WAF. I am unsure of my security needs
You may have purchased a WAF instance based on a need for classified protection or the intention to improve the security level of your enterprise. In either case, you can add your website to WAF and then use the default protection configurations of WAF. The default protection configurations are sufficient to protect your website from most basic web threats.
We recommend that you go to the Overview and Security Report pages in the WAF console to understand the security situations of your business and the attacks it may face. For more information, see the following topics:
I am an O&M engineer. I need reliable services and convenient troubleshooting
We recommend that you enable the following website protection features after you add your website to WAF:
Website Whitelist: You can configure a whitelist to allow requests that meet the specified conditions without the need to perform a check.
Procedure: On the Website Protection page, click Website Whitelist in the upper-right corner. On the Website Whitelist page, create a whitelist. For more information, see Configure a website whitelist.
To implement more precise protection, you can also configure a whitelist for a specific protection module. For more information, see the following topics:
Whitelist for Web Intrusion Prevention: Trusted access requests are not detected by RegEx Protection Engine.
Whitelist for Data Security: Trusted access requests are not detected by Data Leakage Prevention, Website Tamper-proofing, or Account Security.
Whitelist for Bot Management: Trusted access requests are not detected by Bot Threat Intelligence, Data Risk Control, Intelligent Algorithm, or App Protection.
Whitelist for Access Control/Throttling: Trusted access requests are not detected by HTTP Flood Protection, IP Blacklist, Scan Protection, or Custom Protection Policy.
Blacklists: You can configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business. You can also configure a region blacklist to block requests from IP addresses in specific regions. For example, if a local government forum allows access only from local IP addresses, you can add other regions to a region blacklist. If your website does not have users outside the Chinese mainland, you can add all regions outside the Chinese mainland to a region blacklist.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Blacklists card, configure the required parameters. For more information, see Configure a blacklist.
Custom Protection Policy: You can configure custom access control lists (ACLs) or throttling policies. For example, you can use this feature to allow access to an API operation only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Custom Protection Policy card, configure the required parameters. For more information, see Configure a custom protection policy.
Account Security: You can use this feature to monitor user authentication-related API operations, such as the operations used for registration and logon, to detect events that may pose threats to user credentials. The threats include dictionary attacks, brute-force attacks, spam user registration, weak password sniffing, and Short Message Service (SMS) flood attacks.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and click Configure Now. For more information, see Configure account security.
I am a security engineer. I need to comprehensively prevent web intrusion
We recommend that you enable the following website protection features after you add your website to WAF:
Decoding Settings: You can specify supported decoding methods for the WAF engine based on your business coding scheme to maximize protection for your website. WAF identifies traffic based on the supported decoding methods. By default, WAF supports 13 decoding methods. You can deselect decoding methods to avoid unnecessary parsing and false blocking.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and configure Decoding Settings. For more information, see Configure the protection rules engine feature.
Protection Rule Group: You can select protection rules from a built-in protection rule set based on the form, framework, and middleware of your business system. You can use the rules to customize a rule group to prevent web attacks and apply the rule group to your website. We recommend that you use this feature to configure policies to prevent web intrusion into your website. If you want to configure prevention policies for a single URL, we recommend that you use the Custom Protection Policy feature.
Procedure: Log on to the WAF console and choose in the left-side navigation pane. On the page that appears, configure a custom rule group for web attack prevention and apply the rule group to your website. For more information, see Customize protection rule groups.
Custom Protection Policy: You can configure custom access control lists (ACLs) or throttling policies. For example, you can use this feature to allow access to an API operation only from specific IP addresses or user agents and configure an upper limit for specific types of requests. You can also use this feature to defend against HTTP flood attacks, crawler attacks, and some special web attacks.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Custom Protection Policy card, configure the required parameters. For more information, see Configure a custom protection policy.
Positive Security Model (Warn mode): The positive security model is built based on the learning of traffic in the current domain name. The model specifies the types and lengths of request parameters and whether the parameters are required. If a request does not match the characteristics described in the model after the model is built, an alert is generated. In Warn mode, the positive security model allows you to effectively detect anomalies and threats to your business. If the detected requests are useless to your business, you can enable the Block mode.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card, turn on Status, and set Mode to Warn. For more information, see Configure the positive security model.
Scan Protection (High-frequency Web Attack Blocking, Directory Traversal Prevention, Scanner Blocking, and Collaborative Protection): You can use this feature to mitigate threats posed by scanners from multiple dimensions, such as intelligence, scanner characteristics, and scan behavior.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, turn on all switches and specify appropriate thresholds. For more information, see Configure scan protection.
I want to achieve the strongest protection and radically block attacks
We recommend that you enable the following website protection features after you add your website to WAF:
Protection Rules Engine (Strict rule group)
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and set Protection Rule Group to Strict rule group. For more information, see Configure a custom protection policy.
Positive Security Model (Block mode): The positive security model is built based on the learning of traffic in the current domain name. The model specifies the types and lengths of request parameters and whether the parameters are required. If a request does not match the characteristics described in the model after the model is built, an alert is generated. To achieve the strongest protection, we recommend that you enable the Block mode.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card, turn on Status, and set Mode to Block. For more information, see Configure the positive security model.
Scan Protection (High-frequency Web Attack Blocking, Directory Traversal Prevention, Scanner Blocking, and Collaborative Protection): You can use this feature to mitigate threats posed by scanners from multiple dimensions, such as intelligence, scanner characteristics, and scan behavior.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Scan Protection card, turn on all switches and specify appropriate thresholds. For more information, see Configure scan protection.
Blacklists: You can configure an IP address blacklist to block requests from IP addresses and CIDR blocks that are irrelevant to your business. You can also configure a region blacklist to block requests from IP addresses in specific regions. For example, if a local government forum allows access only from local IP addresses, you can add other regions to a region blacklist. If your website does not have users outside the Chinese mainland, you can add all regions outside the Chinese mainland to a region blacklist.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Blacklists card, configure the required parameters. For more information, see Configure a blacklist.
My website is often crawled and is at risk of data breach and tampering
We recommend that you enable the following website protection features after you add your website to WAF:
Data Risk Control: This feature is best suited for defending against bot traffic that is generated by scripts or automated tools and destined for specific API operations for logon, registration, and order placing.
NoteData risk control depends on JavaScript plug-ins and is applicable only to web pages. Do not use this feature in applications.
Procedure: On the Website Protection page, click the Bot Management tab. In the Data Risk Control card, configure the required parameters. For more information, see Configure data risk control.
Data Leakage Prevention: You can use this feature to filter sensitive information in server-returned content, such as abnormal pages and keywords. The sensitive information includes ID numbers, bank card numbers, phone numbers, and sensitive words, and is displayed after masking.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and configure the required parameters. For more information, see Configure data leakage prevention.
Website Tamper-proofing: You can use this feature to lock specific web pages to avoid content tampering. When a locked web page receives a request, a cached page that is preconfigured is returned.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and configure the required parameters. For more information, see Configure the website tamper-proofing feature.
Custom Protection Policy: You can enable JavaScript verification for frequently-crawled static web pages to block most malicious scripts and automated programs. You can also enable slider verification for sessions in which access requests are initiated at an abnormally high frequency to implement fine-grained access control.
Procedure: On the Website Protection page, click the Access Control/Throttling tab. In the Custom Protection Policy card, configure the required parameters. For more information, see Configure a custom protection policy.
Account Security: You can use this feature to monitor user authentication-related API operations, such as the operations used for registration and logon, to detect events that may pose threats to user credentials. The threats include dictionary attacks, brute-force attacks, spam user registration, weak password sniffing, and Short Message Service (SMS) flood attacks.
Procedure: On the Website Protection page, click the Web Security tab. Then, find the card and click Configure Now. For more information, see Configure account security.
Authorized Crawler: You can use this feature to maintain a whitelist of authorized search engines, such as Google, Bing, Baidu, Sogou, and Yandex. The crawlers of these search engines are allowed to access your domain name.
Procedure: On the Website Protection page, click the Bot Management tab. In the Authorized Crawler card, configure the required parameters. For more information, see Configure the authorized crawler feature.
Bot Threat Intelligence: This feature provides information about suspicious IP addresses used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers. You can use this feature to prevent crawlers from accessing your website or specific directories.
Procedure: On the Website Protection page, click the Bot Management tab. In the Bot Threat Intelligence card, configure the required parameters. For more information, see Configure bot threat intelligence rules.
App Protection: This feature provides trusted communication and anti-bot protection for native apps, and can identify proxies, emulators, and requests with invalid signatures.
Procedure: On the Website Protection page, click the Bot Management tab. In the App Protection card, configure the required parameters. For more information, see Configure application protection.