All Products
Document Center

Web Application Firewall:Configure the website tamper-proofing feature

Last Updated:Sep 15, 2023

After you add a website to Web Application Firewall (WAF), you can enable the website tamper-proofing feature for the website. The website tamper-proofing feature helps you lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, a cached version of the page in WAF is returned. This prevents malicious modification of web pages.


  • A WAF instance is purchased. The edition of the WAF instance must be Business, Enterprise, or Exclusive.

  • Your website is added to WAF. For more information, see Tutorial.


  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the upper part of the Website Protection page, select the domain name for which you want to configure a website protection whitelist from the Switch Domain Name drop-down list.切换域名

  3. Click the Web Security tab and find the Website Tamper-proofing section. Then, turn on Status and click Settings.


    After you enable the website tamper-proofing feature and create a rule for the feature, all requests that are destined for your website are checked by the rule by default. If you want specific requests to bypass the check of the website tamper-proofing feature, you can create a data security whitelist rule. For more information, see Configure a whitelist for Data Security.

  4. Create a website tamper-proofing rule.

    1. On the Website Tamper-proofing page, click Add Rule.

    2. In the Create Rule dialog box, configure the Service Name and URL parameters for the web page that you want to protect. Then, click Confirm.

      • Service Name: Specify the name of the service that is displayed on the web page.

      • URL: Specify the exact path of the web page. The path must start with http:// or https://. Wildcard characters or parameters are not supported. For example, you cannot specify /*, /abc? xxx=yyy or xxx=yyy. The website tamper-proofing feature protects text data, HTML pages, and images in the specified path. The size of a single protected file cannot exceed 1 MB.


        Requests whose URLs include parameters cannot be matched by website tamper-proofing rules and are forwarded to the origin server by WAF. For example, the path of a URL is set to /abc in a website tamper-proofing rule and a request URL is /abc?xxx=yyy. In this case, the request is not matched by the website tamper-proofing rule.

    Website tamper-proofing rules are disabled by default after being created. You can view the website tamper-proofing rule that you created in the rule list. The Protection Status switch of the rule is turned off.

  5. Enable the rule. Find the rule that you want to enable in the rule list and turn on Protection Status.

    If you request a protected web page after you enable the rule, the page that is cached in WAF is returned.

  6. Optional: Update cached data. Find the rule that is enabled in the rule list and click Refresh Cache in the Protection Status column.


    If a protected web page is updated, click Refresh Cache to update the version cached in WAF. If you do not update the cached data when the protected page is updated, WAF will instead return the most recent cached version of the page. In this case, WAF fails to protect the page.