If malicious actors compromise your origin server and alter page content, users may receive harmful or misleading information. Website tamper-proofing prevents this by serving cached copies of your protected pages instead of live origin content. When WAF receives a request for a protected URL, it returns the cached version — blocking any injected content from reaching users.
How it works
After you create a tamper-proofing rule for a URL, WAF immediately fetches and caches all resources at that path (HTML, TXT, and image files). Subsequent requests for that URL are served from the cache.
Requests that include URL parameters are not matched by tamper-proofing rules. For example, if the rule covers /abc, a request to /abc?xxx=yyy bypasses the rule and goes directly to the origin server.
If your origin server uses an allowlist for access control, add the following WAF IP addresses so WAF can pull and refresh cached content:
| Region | IP addresses |
|---|---|
| Chinese Mainland | 121.196.106.101, 121.196.100.214, 121.196.110.192, 121.196.107.0 |
| Outside Chinese Mainland | 8.219.104.2, 8.219.41.212 |
Prerequisites
Before you begin, ensure that you have:
A WAF instance with the Enterprise, Ultimate, or Exclusive edition
Your website added to WAF. For more information, see Quick start: Add your first website.
Enable website tamper-proofing
Log on to the WAF console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
On the Website Protection page, select your domain name from the Switch Domain Name drop-down list.
Click the Web Security tab, find the Website Tamper-proofing section, turn on the Status switch, and then click Configure Now.
ImportantAfter you enable website tamper-proofing, WAF checks all requests against tamper-proofing rules by default. To allow certain requests to bypass this check, configure a data security whitelist. For more information, see Configure a data security whitelist.
On the Website Tamper-proofing page, click Create Rule.
In the Create Rule dialog box, fill in the following fields and click OK. After the rule is created, it is disabled by default. The rule appears in the list with its Protection Status switch turned off.
Field Description Name A name for the service that corresponds to the web page. URL The exact path to protect. The path must start with http://orhttps://. Wildcards (such as/*) and URL parameters (such as/abc?xxx=yyy) are not supported. WAF protects TXT, HTML, and image files at this path. The maximum size per protected file is 1 MB.In the rule list, find the new rule and turn on its Protection Status switch. WAF immediately starts serving the cached page for all requests to the protected URL.
(Optional) If you update the content of a protected page, click Update Cache in the Protection Status column to refresh the cached copy. If you skip this step after an update, WAF continues to serve the old cached version, which renders tamper-proofing ineffective.
Re-enabling the module switch or the rule's Protection Status switch has the same effect as clicking Update Cache — WAF re-fetches and refreshes the cached resources.
What's next
To allow specific requests to bypass tamper-proofing detection, see Configure a data security whitelist.