All Products
Document Center

Web Application Firewall:Configure a website whitelist

Last Updated:Sep 15, 2023

After you add a website to Web Application Firewall (WAF), you can configure a website whitelist to allow trusted access requests of the website to be directly routed to the origin server. Trusted access requests include requests from trusted vulnerability scan tools and trusted authenticated third-party system endpoints.


  • A WAF instance is purchased.

  • Your website is added to WAF. For more information, see Tutorial.

Background information

WAF provides multiple detection modules. If a website is added to WAF, all requests to this website are automatically detected by the modules that are enabled. To directly route trustworthy requests to your origin server, you can configure a website whitelist that allows the requests to bypass all detection modules of WAF.

You can also configure a whitelist for a specific detection module. This allows trusted access requests to bypass the detection of the specific detection module. You can configure the following types of whitelists:


We recommend that you create a whitelist for a specific detection module as required. A whitelist with more precise rules improves website security. A whitelist for a detection module provides better security protection than a website whitelist.


  1. Log on to the WAF console.

  2. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Protection Settings > Website Protection.

  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a website protection whitelist from the Switch Domain Name drop-down list.切换域名

  5. In the upper-right corner, click Website Whitelist.

  6. Create a website whitelist.

    1. On the Website Whitelist page, click Create Rule.

    2. In the Create Rule dialog box, configure the following parameters.



      Rule name

      Specify a name for the rule.

      Matching Condition

      Specify match conditions for the rule. Click Add rule to add more match conditions. A maximum of five match conditions are allowed. If you specify multiple match conditions, the rule is triggered only after all the match conditions are met.

      For more information about match conditions, see Fields in match conditions.

    3. Click Save.

    After you create rules for the whitelist, the rules are automatically enabled. You can view created rules in the rule list. You can also disable, edit, or delete rules as required.


Fields in match conditions