A website whitelist in Web Application Firewall (WAF) exempts trusted requests from all protection modules. Whitelisted requests bypass every enabled module and reach the origin server directly. Common use cases include internal vulnerability scanner scans and authenticated third-party API calls.
Prerequisites
Before you begin, ensure that you have:
A purchased WAF instance
A website added to WAF. For more information, see Quick start
Website whitelist vs. module-specific whitelists
By default, all enabled protection modules inspect every access request to a protected website. A website whitelist bypasses all protection modules at once. For finer control, use a module-specific whitelist to bypass only the relevant modules:
Web intrusion prevention whitelist: Bypasses the Protection Rule Engine.
Data security whitelist: Bypasses the Data Leakage Prevention, Webpage Tamper Protection, and Account Security modules.
Bot management whitelist: Bypasses the Bot Threat Intelligence, Data Risk Control, Identification of Typical Bot Behavior, and App Protection modules.
Access control/throttling whitelist: Bypasses the HTTP Flood Protection, IP Blacklist, Scan Protection, and Custom Protection Policy modules.
Module-specific whitelists follow the principle of least privilege and offer higher security than broad website-wide whitelists. Configure granular rules whenever possible.
Create a website whitelist rule
Log on to the WAF console.
In the top navigation bar, select the resource group and the region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.
In the left navigation pane, choose Protection Configurations > Website Protection.
In the upper part of the Website Protection page, select your target domain name from the Switch Domain Name drop-down list.
In the upper-right corner of the page, click Website Whitelist.
On the Website Whitelist page, click Create.
In the Create Rule dialog box, configure the following parameters.
Parameter Description Rule Name Enter a name for the rule. Match Condition Define the conditions that trigger the whitelist. Click Add Condition to add up to five conditions. If you specify multiple conditions, a request matches the rule only when all conditions are met (AND logic). For more information, see Fields in match conditions. 
Click Save.
Manage whitelist rules
After a rule is created, it takes effect automatically and appears in the rule list. You can disable, edit, or delete the rule as needed.