Data risk control protects high-value website endpoints—registrations, logons, campaigns, and forums—against bot-driven fraud that bypasses rate-based detection. Built on Alibaba Cloud big data technologies, it uses risk decision engines and CAPTCHA verification to distinguish human users from automated scripts, with no server or client configuration required beyond adding your website to Web Application Firewall (WAF).
WAF's scenario-specific configuration feature now covers anti-crawler protection with more granular control. After you configure anti-crawler rules, data risk control is no longer needed for crawler protection. Alibaba Cloud no longer provides updates or maintenance for data risk control. For new deployments targeting crawler threats, use scenario-specific configuration instead.
Use cases
Data risk control is suited for bot-driven attacks where request rates appear normal and HTTP flood protection cannot differentiate malicious from legitimate traffic:
Spam user registration
SMS flood attacks
Credential stuffing attacks
Brute-force attacks
Auto-purchase bots
Promotion abuse
Snatcher bots
Vote manipulation
Spam
How it works
WAF injects a JavaScript plug-in into your web pages to collect behavioral and environmental signals from the moment a user lands on the site until they submit a request. When a request reaches a protected URL:
If the behavioral signals indicate a normal user, the request passes without interruption.
If the signals are suspicious or the source IP has a history of malicious activity, slider CAPTCHA verification is triggered.
If scripts simulate slider interaction, additional verification methods are applied until the user passes or the request is blocked.
Prerequisites
Before you begin, ensure that you have:
A WAF instance deployed in the WAF consoleChinese mainland with the bot management module enabled
You have activated a Web Application Firewall instance that meets the following requirements:
The instance is in the Chinese Mainland region.
The Bot Management module is enabled.
Your website added to WAF (see Quick start: Add your first website)
Limitations
Data risk control works only in web page and HTML5 environments. The JavaScript plug-in may be incompatible with the following page types, causing slider CAPTCHA errors:
| Page type | Examples | Workaround |
|---|---|---|
Static pages loaded via URL navigation, location.href redirect, window.open, or anchor tag <a> | HTML detail pages, shared pages, homepages, documents | Restrict JavaScript plug-in insertion to compatible pages only (see Specify pages for JavaScript plug-in insertion) |
| Pages that rewrite or intercept requests | Custom form submissions, XMLHttpRequest (XHR) rewrites, custom Ajax requests | Same as above |
| Pages that use webhooks | Any page where webhook code runs | Same as above |
Restricting plug-in insertion to specific pages reduces behavioral data coverage and may lower detection effectiveness.
For native app protection, use the Anti-Bot SDK instead. See Configure application protection.
Enable data risk control
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Protection Configurations > Website Protection.
At the top of the Website Protection page, select your domain name from the Switch Domain Name drop-down list.
On the Bot Management tab, find the Data Risk Control section and click Configure Now.
Enable the Status toggle.
After data risk control is enabled, WAF inserts a JavaScript plug-in into specific or all web pages. Data on the web pages is returned to users as compressed files that are not in the GZIP format. No further configurations are required regardless of whether your website uses non-standard ports.
Set the Mode. Start with Warn to observe traffic without blocking, then switch to a stricter mode after reviewing logs.
The Status toggle must be enabled before you can configure the Mode or protection rules.
Mode Behavior Warn (default) Forwards all requests. Logs suspicious activity for review in risk reports. The JavaScript plug-in is still inserted into static pages to collect behavioral data. Block Requires multi-factor authentication when an attack is detected. Strict Interception Requires strict multi-factor authentication when an attack is detected.
Add a protected URL
A protected URL is the endpoint where service operations are submitted—not the page URL that users see in their browser.
Example: A registration page at www.aliyundoc.com/new_user may call two backend endpoints: www.aliyundoc.com/getsmscode (to request a verification code) and www.aliyundoc.com/register.do (to submit the registration). Add these two endpoints as protected URLs. If you add the page URL www.aliyundoc.com/new_user instead, every user who visits the registration page must pass slider CAPTCHA verification before filling out the form—disrupting the normal user experience.
URL matching rules:
| Rule | Behavior |
|---|---|
| Exact match | www.aliyundoc.com/test protects only that path, not its subdirectories. |
| Directory wildcard | www.aliyundoc.com/book/* protects all paths under /book. |
Avoid www.aliyundoc.com/* | This forces every visitor to pass CAPTCHA before reaching the homepage. |
| API-only endpoints | Data risk control does not apply to pure API endpoints called by machine processes. If a user clicks a button that triggers an API call, verification works as expected. |
To add a protected URL:
On the Data Risk Control page, click the Protected URL tab and then click Add Protected URL.
In the Add Protected URL dialog box, enter the endpoint URL in the Protection Request URL field.
Click OK.
The new URL takes effect within approximately 10 minutes. After it appears in the URL list, you can modify or delete it as needed.
Specify pages for JavaScript plug-in insertion
By default, WAF inserts the JavaScript plug-in into all pages of your website. If certain pages are incompatible with the plug-in, restrict insertion to compatible pages only.
On the Data Risk Control page, click the Pages to Which JavaScript Plug-in are Inserted tab.
Select Insert JavaScript Plug-in into Specific Pages and click Add Webpage.
In the Add URL dialog box, enter the URL paths (each must start with
/) and click OK. You can add up to 20 URL paths.
After you add the paths, the JavaScript plug-in is inserted into all pages under those paths.
Limiting plug-in insertion to specific pages means data risk control cannot observe the full user journey, which may reduce detection accuracy.
Configure a whitelist
To exempt specific requests from data risk control checks, configure a whitelist for the bot management module. See Configure a whitelist for Bot Management.
View protection results
After enabling log collection for your domain, go to the Log Query tab and select Anti-Fraud in the Advanced Search section to view data risk control results. See Query and analyze logs.
Example: protect a registration endpoint
A website at www.aliyundoc.com allows users to register at www.aliyundoc.com/register.html. Attackers use scripts to submit registration requests at a normal rate, creating accounts to participate in prize draws. Because the request rate looks normal, HTTP flood protection does not flag these requests.
Configuration: Add www.aliyundoc.com/register.html as a protected URL.
How protection works after configuration:
The JavaScript plug-in is inserted into all pages of
www.aliyundoc.com, collecting behavioral signals from the moment any user arrives at the site.When a user submits a registration request to
/register.html, WAF evaluates the behavioral and environmental data collected throughout the entire session.A user who navigated normally through the site and filled out the form passes without interruption.
A script that jumps directly to
/register.htmland submits a request is flagged as suspicious and presented with slider CAPTCHA verification.If the script simulates slider interaction, additional verification is applied. If it fails, the request is blocked.
What's next
Before switching to Block or Strict Interception mode, enable Warn mode and review logs using Simple Log Service for WAF to run a compatibility test.
To protect native apps, configure the Anti-Bot SDK. See Configure application protection.
To replace data risk control for crawler protection, set up scenario-specific configuration. See Overview of scenario-specific configuration.