Call the CreateDefenseRule API to create protection rules - Web Application Firewall

Creates a web core protection rule.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:CreateDefenseRule

create

*All Resource

*

acs:ResourceGroupId

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call DescribeInstance to obtain the instance ID.	waf_v2_public_cn-****
TemplateId	integer	No	The ID of the protection rule template. Note This parameter is required only when you set DefenseType to template.	1122
DefenseScene	string	Yes	The protection rule scenario. If you set DefenseType to template, valid values are: waf_group: basic protection. waf_base: web core protection. antiscan: scanning protection. ip_blacklist: IP address blacklist. custom_acl: custom rule. whitelist: whitelist. region_block: geo-blocking. custom_response: custom response. cc: HTTP flood protection. tamperproof: webpage tamper protection. dlp: data leakage prevention. spike_throttle: aggregate rate limiting. If you set DefenseType to resource, valid values are: account_identifier: account extraction. custom_response: custom response. waf_codec: decoding. If you set DefenseType to global, valid values are: regular_custom: custom regular expression. address_book: address book. custom_response: custom response. Note You can reference a globally configured custom response from a protected object or a rule. If you configure custom response rules at different levels, the rule at the finest granularity takes effect. The priority is: rule level > protected object level > default page.	waf_group
Rules	string	Yes	The protection rule configuration in JSON array format. Note The parameters in the array vary based on the value of DefenseScene. For more information, see Protection rule parameters.	waf_group
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q
DefenseType	string	No	The type of the protection rule. Valid values: template (default): a template-based protection rule. resource: a protection rule for a specific protected object. global: a global protection rule.	template
RegionId	string	No	The region of the WAF instance. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
Resource	string	No	The protected object to apply the protection rule to. Note This parameter is required only when you set DefenseType to resource.	sec****-waf

Protection rule parameters

Template-based protection rules (template)

If you set DefenseType to template, the following rule configurations are available.

Basic protection rules (waf_group)

Parameters

Name	Type	Required	Example	Description
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log.
policyId	Long	No	1012	The ID of the protection rule group. The default value is 1012, which indicates the medium-level rule group.
protectionType	String	No	sema	The type of the protection rule. Valid values: - regular (default): regular expression-based protection. - sema: semantic analysis protection.
config	String	No	{"nonInjectionSql":1}	The custom configuration. This is a JSON string. For more information, see config parameters.

config parameters

If you set protectionType to sema (semantic analysis protection for basic protection rules)

Name	Type	Required	Example	Description
nonInjectionSql	Integer	Yes	1	The status of non-injection attack detection. Valid values: - 0: disabled. - 1 (default): enabled.

Example

{
    "DefenseScene": "waf_group",
    "TemplateId": 322,
    "InstanceId": "waf_cn****",
    "Rules": "[{\"status\":1,\"policyId\":1012,\"action\":\"block\"},{\"status\":1,\"action\":\"block\",\"protectionType\":\"sema\",\"config\":\"{\\\"nonInjectionSql\\\":1}\"}]"
}

Web core protection rules (waf_base)

Parameters

Name	Type	Required	Example	Description
autoUpdate	Boolean	Yes	true	Specifies whether to automatically update the rule. Valid values: - true: enables automatic update. - false: disables automatic update.
config	Array	Yes	[{"ruleType":"system","ruleDetail":[{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]}]	The rule configuration to be modified. For more information, see config parameters. Important Call `DescribeBaseSystemRules` to query system protection rules, and `DescribeDefenseRules` to query custom regular expression rules for the template.

config parameters

Name	Type	Required	Example	Description
ruleType	String	Yes	system	The type of the rule. Valid values: - system: a system rule in basic protection. - custom: a custom regular expression rule in basic protection.
ruleBatchOperationConfig	String	No	default	The batch operation on rules. If you specify this parameter, the RuleDetail parameter must be empty. Valid values: - default: restores the default settings. - all_on: enables all rules. - all_off: disables all rules. - all_block: sets the action of all rules to Block. - all_monitor: sets the action of all rules to Log.
ruleDetail	Array	No	[{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]]	The rule configuration to be modified. The value contains the following parameters: - ruleId: the rule ID. - ruleStatus: the rule status. - ruleAction: the rule action.

Example

{
    "DefenseScene": "waf_base",
    "TemplateId": 322,
    "InstanceId": "waf_cn****",
    "Rules": "[{\"autoUpdate\":true,\"config\":[{\"ruleType\":\"system\",\"ruleDetail\":[{\"ruleId\":13000412,\"ruleStatus\":1,\"ruleAction\":\"block\"}]}]}]"
}

Scanning protection rules (antiscan)

Parameters

Name	Type	Required	Example	Description
protectionType	String	Yes	highfreq	The subtype of the scanning protection rule. Valid values: - highfreq: high-frequency scanning protection. - dirscan: directory traversal blocking. - scantools: scanner blocking.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log.
actionExternal	JSON	No	{"responseRuleId":123444}	The extended configuration of the protection rule action. This parameter is available only for custom responses. If you set action to block, you can specify a custom block page.
config	String	No	{"target":"remote_addr","interval":60,"ttl":180,"count":20}	The custom configuration. This is a JSON string. For more information, see config parameters.

config parameters

If you set protectionType to highfreq (high-frequency scanning protection)

Name	Type	Required	Example	Description
target	String	Yes	remote_addr	The type of the statistical object. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. If you select this value, you must specify the header to be counted in the subkey parameter. - queryarg: custom parameter. If you select this value, you must specify the custom parameter to be counted in the subkey parameter. - cookie: custom cookie. If you select this value, you must specify the cookie to be counted in the subkey parameter.
subKey	String	No	abc	The sub-feature of the statistical object. This parameter is required if you set the target parameter to cookie, header, or queryarg.
interval	Integer	No	60	The detection period in seconds. The default value is 60. Valid values: 5 to 1800.
ttl	Integer	No	1800	The block duration in seconds. The default value is 1800. Valid values: 60 to 86400.
count	Integer	No	20	The maximum number of times that a basic protection rule can be triggered. The default value is 20. Valid values: 3 to 50000.
ruleIdCount	Integer	No	2	The maximum number of triggered rules. The default value is 2. Valid values: 1 to 50.

If you set protectionType to dirscan (directory traversal blocking)

Name	Type	Required	Example	Description
target	String	Yes	remote_addr	The statistical and blocking object. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. - queryarg: custom parameter. - cookie: custom cookie.
subKey	String	No	1	The sub-feature of the statistical and blocking object. This parameter is required only if you set target to header, queryarg, or cookie.
interval	Integer	No	60	The detection period in seconds. The default value is 60. Valid values: 5 to 1800.
ttl	Integer	No	1800	The block duration in seconds. The default value is 1800. Valid values: 60 to 86400.
count	Integer	No	20	The maximum number of times that a basic protection rule can be triggered. The default value is 20. Valid values: 3 to 50000.
weight	Float	No	2	The percentage of 404 response codes. The default value is 0.7. Valid values: 0.01 to 1.0. The value can be accurate to two decimal places.
uriNum	Integer	No	2	The maximum number of non-existent directories. The default value is 50. Valid values: 2 to 50000.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2222,
    "DefenseScene": "antiscan",
    "Rules": "[{\"protectionType\":\"scantools\",\"action\":\"block\",\"status\":1},{\"protectionType\":\"dirscan\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":10,\\\"ttl\\\":1800,\\\"weight\\\":0.7,\\\"uriNum\\\":50,\\\"count\\\":50}\"},{\"protectionType\":\"highfreq\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":60,\\\"ttl\\\":1800,\\\"count\\\":20,\\\"ruleIdCount\\\":2}\"}]"
}

IP address blacklist rules (ip_blacklist)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	iptest	The name of the IP address blacklist rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log.
actionExternal	JSON	No	{"responseRuleId":123444}	The extended configuration of the protection rule action. This parameter is available only for custom responses. If you set action to block, you can specify a custom block page.
remoteAddr	Array	Yes	["1.1.XX.XX", "3.1.XX.XX/24"]	The IP addresses to be added to the blacklist. Use the ["ip1","ip2",...] format.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2222,
    "DefenseScene": "ip_blacklist",
    "Rules": "[{\"name\":\"iptest1\",\"remoteAddr\":[\"1.1.1.2\",\"3.3.3.3/24\"],\"action\":\"monitor\",\"status\":1},{\"name\":\"iptest2\",\"remoteAddr\":[\"4.4.4.4\",\"5.5.5.5/32\"],\"action\":\"block\",\"status\":1}]"
}

Custom rules (custom_acl)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	iptest	The name of the custom ACL rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log. - js: JavaScript challenge. - captcha: slider CAPTCHA. - captcha_strict: strict CAPTCHA. Important For the protection rule actions supported by custom ACL, see the custom rule actions displayed in the WAF console.
actionExternal	JSON	No	{"responseRuleId":123444}	The extended configuration of the protection rule action. This parameter is available only for custom responses. If you set action to block, you can specify a custom block page. If you set action to captcha or captcha_strict, you can specify a custom slider CAPTCHA page.
conditions	Array	Yes	[{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}]	The traffic characteristics for the ACL. This is a JSON string that supports up to five match conditions. For more information, see conditions parameters.
ccStatus	Integer	Yes	1	Specifies whether to enable rate limiting. Valid values: - 0: disables rate limiting. - 1: enables rate limiting.
ratelimit	JSON	No	{"target":"remote_addr","interval":5,"threshold":2,"ttl":1800,"status":{"code":404,"count":2}}	The detailed rate limiting configuration. This is a JSON string. This parameter is required only if you set ccStatus to 1. For more information, see ratelimit parameters.
effect	String	No	rule	The scope of rate limiting. This parameter is required only if you set ccStatus to 1. Valid values: - service: The rate limiting is applied to the protected object. - rule: The rate limiting is applied to a single rule.
grayStatus	Integer	No	1	Specifies whether to enable canary release for the rule. Valid values: - 0 (default): disables canary release. - 1: enables canary release.
grayConfig	JSON	No	{"grayTarget":"header","grayRate":80,"graySubKey":"test"}	The canary release configuration for the rule. This is a JSON string. This parameter is required only if you set grayStatus to 1. For more information, see grayConfig parameters.
timeConfig	JSON	No	{"timeScope":"period","timeZone":8,"timePeriods":[{"start":1758771729787,"end":1758816000000}]}	The scheduled rule configuration. This is a JSON string. For more information, see timeConfig parameters.

conditions parameters

Name	Type	Required	Example	Description
key	String	Yes	IP	The match field. Valid values: URL, URLPath, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, Extension, Filename, Server-Port, Host, Cookie-Exact, Query-Arg, and Post-Arg. Important The supported match fields vary based on the WAF edition. For more information, see the match fields for custom rules in the WAF console.
subKey	String	No	abc	The custom sub-match field. Important Not all match fields (key) for custom rules have custom sub-match fields (subKey). For more information about whether a match field supports a custom sub-match field, see the relationship between match fields and custom match fields for custom rules in the WAF console.
opValue	String	Yes	contain	The logical operator. Valid values: - not-contain: Does not contain. For the IP field, this means the IP address is not in the specified range. - contain: Contains. For the IP field, this means the IP address is in the specified range. - none: Does not exist. - ne: Is not equal to. - eq: Is equal to. - lt: Is less than. - gt: Is greater than. - len-lt: Has a length less than. - len-eq: Has a length equal to. - len-gt: Has a length greater than. - not-match: Does not match. - match-one: Is equal to one of multiple values. - all-not-match: Is not equal to any of the values. - all-not-contain: Does not contain any of the values. - contain-one: Contains one of multiple values. - not-regex: Does not match the regular expression. - regex: Matches the regular expression. - all-not-regex: Does not match any of the regular expressions. - regex-one: Matches one of the regular expressions. - prefix-match: Matches the prefix. - suffix-match: Matches the suffix. - empty: Is empty. - exists: Exists. - inl: Is in a list. - in-list: Is in an address book. - not-in-list: Is not in an address book. Important Not all logical operators (opValue) can be configured for every match field (key) of a custom rule. For more information about the logical operators supported by a match field, see the relationship between match fields and logical operators for custom rules in the WAF console.
values	String	Yes	abc	The match content. Specify the content as needed. Separate multiple values with commas (,). Important The valid values of the logical operator (opValue) and match content (values) parameters are related to the specified match field (key).

ratelimit parameters

Name	Type	Required	Example	Description
target	String	Yes	remote_addr	The type of the statistical object. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. If you select this value, you must specify the header to be counted in the subkey parameter. - queryarg: custom parameter. If you select this value, you must specify the custom parameter to be counted in the subkey parameter. - cookie: custom cookie. If you select this value, you must specify the cookie to be counted in the subkey parameter.
subKey	String	No	abc	The sub-feature of the statistical object. This parameter is required if you set the target parameter to cookie, header, or queryarg.
interval	Integer	Yes	60	The statistical period in seconds. This parameter is used with the threshold parameter to count the number of requests. Valid values: 1 to 1800.
threshold	Integer	Yes	200	The threshold of the number of times that a single statistical object can access the protected address within the detection period.
ttl	Integer	Yes	1800	The effective period of the action in seconds. Valid values: 60 to 86400.
status	JSON	No	{"code":404,"count":200}	The settings for response code frequency. This is a JSON string that contains the following parameters: code: Integer. Required. The response code. count: Integer. Optional. The trigger threshold for the number of times the specified response code appears. The rule is triggered if the number of times the response code appears exceeds this threshold. Valid values: 2 to 50000. The count and ratio parameters are mutually exclusive. ratio: Integer. Optional. The trigger threshold for the percentage of times the specified response code appears. The rule is triggered if the percentage of times the response code appears exceeds this threshold. Valid values: 1 to 100. The count and ratio parameters are mutually exclusive.

grayConfig parameters

Name	Type	Required	Example	Description
grayTarget	String	Yes	80	The type of the canary release object. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. If you select this value, you must specify the header to be counted in the graySubKey parameter. - queryarg: custom parameter. If you select this value, you must specify the custom parameter to be counted in the graySubKey parameter. - cookie: custom cookie. If you select this value, you must specify the cookie to be counted in the graySubKey parameter.
graySubKey	String	No	abc	The sub-feature of the statistical object. This parameter is required if you set the grayTarget parameter to cookie, header, or queryarg.
grayRate	Integer	Yes	20	The percentage of traffic for which the rule takes effect. Valid values: 1 to 100.

timeConfig parameters

Name	Type	Required	Example	Description
timeScope	String	Yes	period	The effective period of the rule. Valid values: - permanent (default): The rule is permanently effective. - period: The rule is effective within a time period. - cycle: The rule is periodically effective.
timeZone	Integer	Yes	8	The time zone in which the rule is effective. The default value is 8. Valid values: -12 to 12. 0 indicates UTC, 8 indicates UTC+8, and -8 indicates UTC-8.
timePeriods	Array	No	[{"start":1758771729787,"end":1758816000000}]	The time period during which the rule is effective. This parameter is required if you set the timeScope parameter to period. You can specify multiple time periods. - start: Long. Required. The start time of the rule. This is a UNIX timestamp in milliseconds. - end: Long. Required. The end time of the rule. This is a UNIX timestamp in milliseconds.
weekTimePeriods	Array	No	[{"day":"1","dayPeriods":[{"start":0,"end":51644084}]},{"day":"1,2,5","dayPeriods":[{"start":0,"end":42928908}]}]	The time period during which the rule is periodically effective. This parameter is required if you set the timeScope parameter to cycle. You can specify multiple time periods. - day: String. Required. The cycle in which the rule is effective. Valid values: 1 to 7. Separate multiple days with commas (,). For example, if you set this parameter to 1, the rule is effective every Monday. - dayPeriods: Array. Required. The time period during which the rule is effective every day. The value includes the start time start and end time end. You can specify multiple time periods. • start: Long. Required. The start time of the rule every day. This is a timestamp in milliseconds relative to 00:00 of the day. Valid values: [0-86400000). • end: Long. Required. The end time of the rule every day. This is a timestamp in milliseconds relative to 00:00 of the day. Valid values: [0-86400000).

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 6242,
    "DefenseScene": "custom_acl",
    "Rules":"[{\"name\":\"acl_test\",\"action\":\"block\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"abc\"}],\"ratelimit\":{\"target\":\"remote_addr\",\"interval\":5,\"threshold\":2,\"ttl\":1800,\"status\":{\"code\":404,\"count\":2}},\"ccStatus\":1,\"effect\":\"rule\",\"status\":1,\"origin\":\"custom\",\"timeConfig\":{\"timeScope\":\"cycle\",\"timeZone\":8,\"weekTimePeriods\":[{\"day\":\"1\",\"dayPeriods\":[{\"start\":0,\"end\":51644084}]},{\"day\":\"1,2,5\",\"dayPeriods\":[{\"start\":0,\"end\":42928908}]}]},\"grayStatus\":1,\"grayConfig\":{\"grayRate\":80,\"graySubKey\":\"test\",\"grayTarget\":\"header\"}}]"
}

Whitelist rules (whitelist)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	whitelistTest	The name of the whitelist rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
conditions	Array	Yes	[{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}]	The traffic characteristics for the whitelist. This is a JSON string that supports up to five match conditions. For more information, see conditions parameters.
tags	Array	Yes	["waf", "regular"]	The list of modules to which the whitelist is applied. Use the ["XX1", "XX2",...] format. Valid values: - waf: all modules. - customrule_rule: a specific custom rule. - customrule: custom rules. - blacklist: the IP address blacklist. - blacklist_rule: a specific IP address blacklist rule. - antiscan: scanning protection. - regular: basic protection rules. - regular_rule: a specific regular expression rule for basic protection. - regular_type: a specific regular expression rule type for basic protection. - regular_field: a specific field for basic protection. - major_protection: critical event protection. - cc: CC protection. - region_block: geo-blocking. - antibot_scene: bot scenario protection. - antibot_scene_rule: a specific bot scenario protection rule ID. - antibot_scene_label: a specific bot scenario protection rule type. - dlp: data leakage prevention. - tamperproof: webpage tamper protection. - spike_throttle: aggregate rate limiting protection.
regularRules	Array	No	[ "111111", "222222" ]	The list of regular expression rule IDs that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to regular_rule.
regularTypes	Array	No	[ "xss", "css" ]	The list of regular expression rule types that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to regular_type. Valid values: - sqli: SQL injection. - xss: cross-site scripting. - code_exec: code execution. - crlf: CRLF. - lfilei: local file inclusion. - rfilei: remote file inclusion. - webshell: WebShell. - csrf: CSRF. - other: other.
regularFields	Array	No	[{"key":"URL"},{"key":"Header","subKey":"abc"}]	The list of fields that are not detected by basic protection. This is a JSON string that supports up to five match conditions. For more information, see regularFields parameters. This parameter is required only if you set the tags parameter to regular_field.
customRules	Array	No	[ "111111", "222222" ]	The list of custom rule IDs that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to customrule_rule.
blacklistRules	Array	No	[ "111111", "222222" ]	The list of IP address blacklist rule IDs that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to blacklist_rule.
botRules	Array	No	[ "111111", "222222" ]	The list of bot scenario protection rule IDs that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to antibot_scene_rule.
botLables	Array	No	[ "abc", "cdcc" ]	The list of bot scenario protection rule types that are not detected. Use the ["XX1", "XX2",...] format. This parameter is required only if you set the tags parameter to antibot_scene_label. You can call the DescribeBotRuleLabels operation to view the rule type information of bots.

conditions parameters

Name	Type	Required	Example	Description
key	String	Yes	IP	The match field. Valid values: URL, URLPath, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, Header, Server-Port, Host, and Query-Arg. Important The supported match fields vary based on the WAF edition. For more information, see the match fields for whitelist rules in the WAF console.
subKey	String	No	abc	The custom sub-match field. Important Not all match fields (key) for whitelist rules have custom sub-match fields (subKey). For more information about whether a match field supports a custom sub-match field, see the relationship between match fields and custom match fields for whitelist rules in the WAF console.
opValue	String	Yes	contain	The logical operator. Valid values: - not-contain: Does not contain. For the IP field, this means the IP address is not in the specified range. - contain: Contains. For the IP field, this means the IP address is in the specified range. - none: Does not exist. - ne: Is not equal to. - eq: Is equal to. - lt: Is less than. - gt: Is greater than. - len-lt: Has a length less than. - len-eq: Has a length equal to. - len-gt: Has a length greater than. - not-match: Does not match. - match-one: Is equal to one of multiple values. - all-not-match: Is not equal to any of the values. - all-not-contain: Does not contain any of the values. - contain-one: Contains one of multiple values. - not-regex: Does not match the regular expression. - regex: Matches the regular expression. - all-not-regex: Does not match any of the regular expressions. - regex-one: Matches one of the regular expressions. - prefix-match: Matches the prefix. - suffix-match: Matches the suffix. - empty: Is empty. - exists: Exists. - inl: Is in a list. - in-list: Is in an address book. - not-in-list: Is not in an address book. Note Not all logical operators (opValue) can be configured for every match field (key) of a whitelist rule. For more information about the logical operators supported by a match field, see the relationship between match fields and logical operators for whitelist rules in the WAF console.
values	String	Yes	abc	The match content. Specify the content as needed. Separate multiple values with commas (,). Important The valid values of the logical operator (opValue) and match content (values) parameters are related to the specified match field (key).

regularFields parameters

Name	Type	Required	Example	Description
key	String	Yes	URL	The field that is not detected. Valid values: - URL-All: all URI-related fields. - URL: a specific URI field. - URLPath: the URI path. - Query-All: all query-related fields. - Query-Arg: a specific query parameter. - Cookie-All: all cookie-related fields. - Cookie-Exact: a specific cookie name. - Header-All: all header-related fields. - Header: a specific header field. - Body-All: all body parameters.
subKey	String	No	abc	The specified field. This parameter is required if you set the field that is not detected (key) to URLPath, Query-Arg, Cookie-Exact, or Header.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 9242,
    "DefenseScene": "whitelist",
    "Rules":"[{\"name\":\"whitelistTest\",\"tags\":[\"regular_rule\",\"customrule\"],\"status\":1,\"origin\":\"custom\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"/test\"},{\"key\":\"Header\",\"opValue\":\"eq\",\"values\":\"ffff\",\"subKey\":\"abc\"}],\"regularRules\":[\"123444\",\"444444\"]}]"
}

Custom response rules (custom_response)

Parameters

Name	Type	Required	Example	Description
responseType	String	Yes	response_block	The type of the custom response. Set the value to response_block, which indicates a block response.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
config	String	Yes	{"responseCode":400,"responseHeaders":[{"key":"custom","value":"123"},{"key":"aaa","value":"2223"}],"responseContent":"HelloWorld"}	The custom configuration. This is a JSON string. For more information, see config parameters.

config parameters

Name	Type	Required	Example	Description
responseCode	Integer	Yes	400	The specified response code.
responseHeaders	Array	No	[{"key":"custom","value":"123"},{"key":"aaaa","value":"2223"}]	The list of custom response headers. This is a JSON string. key is the header field and value is the header value.
responseContent	String	Yes	helloworld	The content of the custom response.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2841,
    "DefenseScene": "custom_response",
    "Rules":"[{\"responseType\":\"response_block\",\"config\":\"{\\\"templateName\\\":\\\"aaa\\\",\\\"responseCode\\\":\\\"400\\\",\\\"responseContent\\\":\\\"helloWorld\\\",\\\"responseHeaders\\\":[{\\\"key\\\":\\\"test1\\\",\\\"value\\\":\\\"abc\\\"}]}\",\"status\":1}]"
}

Geo-blocking rules (region_block)

Parameters

Name	Type	Required	Example	Description
cnRegionList	String	No	610000,230000	The list of regions in China. Specify ["CN"] to block regions in the Chinese mainland (excluding Hong Kong (China), Macao (China), and Taiwan (China)). Separate multiple regions with commas (,). For more information about the meanings of region codes, see Meanings of region codes in China.
abroadRegionList	String	No	KE,KG	The list of regions outside China. Separate multiple regions with commas (,). You can call the DescribeIpAbroadCountryInfos operation to view the overseas countries and regions that can be blocked.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log.
actionExternal	JSON	No	{"responseRuleId":123444}	The extended configuration of the protection rule action. This parameter is available only for custom responses. If you set action to block, you can specify a custom block page. If you set action to captcha or captcha_strict, you can specify a custom slider CAPTCHA page.

Meanings of Chinese region codes

{
    "110000": "Beijing",
    "120000": "Tianjin",
    "130000": "Hebei Province",
    "140000": "Shanxi Province",
    "150000": "Inner Mongolia Autonomous Region",
    "210000": "Liaoning Province",
    "220000": "Jilin Province",
    "230000": "Heilongjiang Province",
    "310000": "Shanghai",
    "320000": "Jiangsu Province",
    "330000": "Zhejiang Province",
    "340000": "Anhui Province",
    "350000": "Fujian Province",
    "360000": "Jiangxi Province",
    "370000": "Shandong Province",
    "410000": "Henan Province",
    "420000": "Hubei Province",
    "430000": "Hunan Province",
    "440000": "Guangdong Province",
    "450000": "Guangxi Zhuang Autonomous Region",
    "460000": "Hainan Province",
    "500000": "Chongqing",
    "510000": "Sichuan Province",
    "520000": "Guizhou Province",
    "530000": "Yunnan Province",
    "540000": "Tibet Autonomous Region",
    "610000": "Shaanxi Province",
    "620000": "Gansu Province",
    "630000": "Qinghai Province",
    "640000": "Ningxia Hui Autonomous Region",
    "650000": "Xinjiang Uygur Autonomous Region",
    "MO_01": "Macao (China)",
    "HK_01": "Hong Kong (China)",
    "TW_01": "Taiwan (China)",
    "CN": "Regions in the Chinese mainland (excluding Hong Kong (China), Macao (China), and Taiwan (China))"
}

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2341,
    "DefenseScene": "region_block",
    "Rules": "[{\"cnRegionList\":\"CN,HK_01,TW_01,MO_01\",\"abroadRegionList\":\"AU,NZ\",\"action\":\"block\",\"status\":1}]"
}

HTTP flood protection rules (cc)

Parameters

Name	Type	Required	Example	Description
mode	Integer	Yes	0	The HTTP flood protection mode. Valid values: - 0 (default): normal. - 1: emergency.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	No	js	The action of the protection rule. Valid values: - js (default): JavaScript challenge. - monitor: Log.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2241,
    "DefenseScene": "cc",
    "Rules":"[{\"mode\":0,\"status\":1,\"action\":\"js\"}]"
}

Webpage tamper protection rules (tamperproof)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	test	The name of the protection rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
url	String	Yes	/abc	The address of the cached page.
ua	String	No	app	The user agent that is used to access the path.
protocol	String	Yes	https	The protocol type of the cached page address. Valid values: http and https.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 1241,
    "DefenseScene": "tamperproof",
    "Rules": "[{\"name\":\"test1\",\"url\":\"www.test1.com\",\"ua\":\"firefox\",\"protocol\":\"https\",\"status\":1}]"
}

Data leakage prevention rules (dlp)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	test	The name of the protection rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
conditions	Array	Yes	[{"key":"HttpCode","opValue":"contain","values":"400,401,402,403,404,405,500,501,502,503,504,505"},{"key":"URL","opValue":"contain","values":"test"}]	The match condition. This is a JSON string that supports up to two match conditions. The logical operator between the conditions is AND. For more information, see conditions parameters.
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. This action is applicable only to scenarios that contain response code match conditions. - monitor: Log. - filter: filters sensitive information. This action is applicable only to scenarios that contain sensitive information match conditions.

conditions parameters

Name	Type	Required	Example	Description
key	String	Yes	URL	The match field. Valid values: URL, HttpCode, and SensitiveInfo.
opValue	String	Yes	contain	The logical operator. Set the value to contain.
values	String	Yes	abc	The match content. Separate multiple values with commas (,). The valid values for HttpCode are 400, 401, 402, 403, 404, 405 (which represents 405-499), 500, 501, 502, 503, 504, and 505 (which represents 505-599). The valid values for SensitiveInfo are: - phone: phone number. - card: credit card. - id: ID card. - word: default sensitive word.

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 5241,
    "DefenseScene": "dlp",
    "Rules":"[{\"name\":\"test\",\"action\":\"filter\",\"status\":1,\"conditions\":[{\"key\":\"SensitiveInfo\",\"opValue\":\"contain\",\"values\":\"id,card\"},{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"/test.html\"}]}]"
}

Aggregate rate limiting (spike_throttle)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	iptest	The name of the aggregate rate limiting rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
status	Integer	Yes	1	The status of the protection rule. This parameter is available only when you create a protection rule. To modify the status of a protection rule, call the ModifyDefenseRuleStatus operation and configure the RuleStatus parameter. Valid values: - 0: disabled. - 1 (default): enabled.
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - monitor: Log.
actionExternal	JSON	No	{"responseRuleId":123444}	The extended configuration of the protection rule action. This parameter is available only for custom responses. If you set action to block, you can specify a custom block page.
conditions	Array	Yes	[{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}]	The traffic characteristics for the ACL. This is a JSON string that supports up to five match conditions. For more information, see conditions parameters.
cnRegionList	String	No	610000,230000	The list of regions in China. Specify ["CN"] to block regions in the Chinese mainland (excluding Hong Kong (China), Macao (China), and Taiwan (China)). Separate multiple regions with commas (,). For more information about the meanings of region codes, see Meanings of region codes in China.
abroadRegionList	String	No	KE,KG	The list of regions outside China. Separate multiple regions with commas (,). You can call the DescribeIpAbroadCountryInfos operation to view the overseas countries and regions that can be blocked.
type	String	Yes	qps	The rate limiting method. Valid values: - qps: rate limiting based on QPS. - ratio (default): rate limiting based on percentage.
threshold	Integer	Yes	500	The rate limiting threshold. Valid values: - The QPS-based rate limiting threshold ranges from 1 to 5,000,000. If you select QPS-based rate limiting (for example, 500 QPS), traffic that meets the rate limiting conditions and exceeds 500 QPS is blocked. - The percentage-based rate limiting threshold ranges from 1 to 99. If you select percentage-based rate limiting (for example, 80%), only 80% of the traffic that meets the rate limiting conditions is allowed.

conditions parameters

Name	Type	Required	Example	Description
key	String	Yes	IP	The match field. Valid values: URL, URLPath, IP, Referer, User-Agent, Params, Cookie, Content-Type, Content-Length, X-Forwarded-For, Post-Body, Http-Method, and Header.
subKey	String	No	abc	The custom sub-match field. Important Not all match fields (key) for aggregate rate limiting rules have custom sub-match fields (subKey). For more information about whether a match field supports a custom sub-match field, see the relationship between match fields and custom match fields for aggregate rate limiting rules in the WAF console.
opValue	String	Yes	contain	The logical operator. Valid values: - not-contain: Does not contain. For the IP field, this means the IP address is not in the specified range. - contain: Contains. For the IP field, this means the IP address is in the specified range. - none: Does not exist. - ne: Is not equal to. - eq: Is equal to. - lt: Is less than. - gt: Is greater than. - len-lt: Has a length less than. - len-eq: Has a length equal to. - len-gt: Has a length greater than. - not-match: Does not match. - match-one: Is equal to one of multiple values. - all-not-match: Is not equal to any of the values. - all-not-contain: Does not contain any of the values. - contain-one: Contains one of multiple values. - not-regex: Does not match the regular expression. - regex: Matches the regular expression. - all-not-regex: Does not match any of the regular expressions. - regex-one: Matches one of the regular expressions. - prefix-match: Matches the prefix. - suffix-match: Matches the suffix. - empty: Is empty. - exists: Exists. - inl: Is in a list. - in-list: Is in an address book. - not-in-list: Is not in an address book. Important Not all logical operators (opValue) can be configured for every match field (key) of an aggregate rate limiting rule. For more information about the logical operators supported by a match field, see the relationship between match fields and logical operators for aggregate rate limiting rules in the WAF console.
values	String	Yes	abc	The match content. Specify the content as needed. Separate multiple values with commas (,). Important The valid values of the logical operator (opValue) and match content (values) parameters are related to the specified match field (key).

Meanings of Chinese region codes

{
    "110000": "Beijing",
    "120000": "Tianjin",
    "130000": "Hebei Province",
    "140000": "Shanxi Province",
    "150000": "Inner Mongolia Autonomous Region",
    "210000": "Liaoning Province",
    "220000": "Jilin Province",
    "230000": "Heilongjiang Province",
    "310000": "Shanghai",
    "320000": "Jiangsu Province",
    "330000": "Zhejiang Province",
    "340000": "Anhui Province",
    "350000": "Fujian Province",
    "360000": "Jiangxi Province",
    "370000": "Shandong Province",
    "410000": "Henan Province",
    "420000": "Hubei Province",
    "430000": "Hunan Province",
    "440000": "Guangdong Province",
    "450000": "Guangxi Zhuang Autonomous Region",
    "460000": "Hainan Province",
    "500000": "Chongqing",
    "510000": "Sichuan Province",
    "520000": "Guizhou Province",
    "530000": "Yunnan Province",
    "540000": "Tibet Autonomous Region",
    "610000": "Shaanxi Province",
    "620000": "Gansu Province",
    "630000": "Qinghai Province",
    "640000": "Ningxia Hui Autonomous Region",
    "650000": "Xinjiang Uygur Autonomous Region",
    "MO_01": "Macao (China)",
    "HK_01": "Hong Kong (China)",
    "TW_01": "Taiwan (China)",
    "CN": "Regions in the Chinese mainland (excluding Hong Kong (China), Macao (China), and Taiwan (China))"
}

Example

{
    "InstanceId": "waf_v2_public_****",
    "TemplateId": 2341,
    "DefenseScene": "spike_throttle",
    "Rules":"[{\"name\":\"test\",\"action\":\"monitor\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain-one\",\"values\":\"abctest,abctest2\"}],\"status\":1,\"type\":\"qps\",\"threshold\":1000,\"cnRegionList\":\"110000,140000\",\"abroadRegionList\":\"AD,AL\"}]"}
}

Protection rules for a specific protected object (resource)

If you set DefenseType to resource, the following rule configurations are available.

Account extraction rules (account_identifier)

You can configure only one extraction configuration for each protected object.

Parameters

Name	Type	Required	Example	Description
accountldentifiers	Array	Yes	[ { "key": "Header","subKey": "header-test", "decodeType": "jwt", "position": "username", "priority": 1 }, { "key": "Post-Arg", "subKey": "body_test", "decodeType": "plain", "priority": 2 } ]	The list of account extraction configurations. You can specify up to five configurations. Each configuration is a JSON string. For more information, see accountIdentifiers parameters.

accountIdentifiers parameters

Name	Type	Required	Example	Description
key	String	Yes	Query-Arg	The position of the field to be extracted. Valid values: Query-Arg, Cookie-Exact, Post-Arg, and Header.
subKey	String	Yes	query-test	The custom sub-match field.
decodeType	String	jwt	query-test	The authentication method. Valid values: - plain: plaintext. - basic: Basic authentication. - jwt: JSON Web Token (JWT) authentication. For JWT authentication, you must specify the account field after decoding (position).
priority	Integer	Yes	1	The match priority of the extraction configuration. A request can match only one extraction policy. Valid values: [0,20]. A smaller value indicates a higher priority. The value cannot be repeated.
position	String	No	account	For JWT authentication, this is the account field after decoding.

Example

{
    "DefenseScene": "account_identifier",
    "Resource": "example.**.com-waf",
    "DefenseType": "resource",
    "InstanceId": "waf_cn****",
    "Rules": "[{\"accountIdentifiers\":[{\"key\":\"Header\",\"subKey\":\"header-test\",\"decodeType\":\"jwt\",\"position\":\"username\",\"priority\":1},{\"key\":\"Post-Arg\",\"subKey\":\"body_test\",\"decodeType\":\"plain\",\"priority\":2}]}]"
}

Custom response rules for a protected object (custom_response)

You can configure only one custom response for each protected object. Response page priority is: rule level > protected object level > default page.

Parameters

Name	Type	Required	Example	Description
blockRuleId	Long	No	1123	The rule ID of the custom block page. This indicates that when the protected object triggers a block, the custom block page is returned.
captchaRuleId	Long	No	1123	The rule ID of the custom slider CAPTCHA page. This indicates that when the protected object triggers a slider CAPTCHA, the custom slider CAPTCHA page is returned.

Example

{
    "DefenseScene": "custom_response",
    "Resource": "example.**.com-waf",
    "DefenseType": "resource",
    "InstanceId": "waf_cn****",
    "Rules": "[{\"blockRuleId\":900000,\"captchaRuleId\":900001}]"
}

Decoding rules for a protected object (waf_codec)

You can configure only one decoding rule for each protected object.

Parameters

Name	Type	Required	Example	Description
codecList	Array	Yes	["comment","space-zip","json","xml","form","multipart","graphql","js-unicode","url","hex","html","php","java","utf7","oct"]	The decoding types to be enabled. Valid values: - url: URL decoding (enabled by default and cannot be canceled). - js-unicode: Unicode decoding (enabled by default and cannot be canceled). - oct: OCT decoding (enabled by default and cannot be canceled). - hex: Hex decoding (enabled by default and cannot be canceled). - comment: comment decoding (enabled by default and cannot be canceled). - space-zip: space decoding (enabled by default and cannot be canceled). - multipart: Multipart parsing. - json: JSON parsing. - xml: XML parsing. - php: PHP deserialization decoding. - html: HTML entity decoding. - utf7: UTF-7 decoding. - base64: Base64 decoding. - form: Form parsing. - gzip: Gzip decompression. - java: Java deserialization decoding. - graphql: GraphQL parsing.

Example

{
    "DefenseScene": "waf_codec",
    "Resource": "example.**.com-waf",
    "DefenseType": "resource",
    "InstanceId": "waf_cn****",
    "Rules": "[{\"codecList\":[\"comment\",\"space-zip\",\"json\",\"xml\",\"form\",\"multipart\",\"graphql\",\"js-unicode\",\"url\",\"hex\",\"html\",\"php\",\"java\",\"utf7\",\"gzip\",\"oct\",\"base64\"]}]"
}

Global protection rules (global)

If you set DefenseType to global, the following rule configurations are available.

Custom regular expression rules (regular_custom)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	ruleTest	The name of the custom regular expression rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
detectType	String	Yes	sqli	The detection type. Valid values: - sqli: SQL injection. - xss: cross-site scripting (XSS) attacks. - cmdi: OS command injection. - expression_injection: expression injection (including EL, SpEL, and OGNL expressions). - java_deserialization: Java deserialization. - dot_net_deserialization: .NET deserialization. - php_deserialization: PHP deserialization. - code_exec: remote code execution (RCE) (JNDI/XPATH). - ssrf: server-side request forgery (SSRF). - path_traversal: path traversal. - arbitrary_file_uploading: arbitrary file upload. - webshell: webshell. - rfilei: remote file inclusion (RFI). - lfilei: local file inclusion (LFI). - protocol_violation: protocol violation. - scanner_behavior: scanner behavior. - logic_flaw: business logic bug. - arbitrary_file_reading: arbitrary file read. - arbitrary_file_download: arbitrary file download. - xxe: external entity injection. - csrf: cross-site request forgery. - crlf: CRLF. - other: other.
riskLevel	String	Yes	strict	The risk level. Valid values: - super_strict: Super Strict. - strict: Strict. - medium: Medium. - loose: Loose.
description	String	No	Rule description.	The description of the custom regular expression rule.
condition	Array	Yes	[{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}]	The traffic characteristics for the ACL. This is a JSON string that supports up to five match conditions. For more information, see condition parameters.

condition parameters

Name	Type	Required	Example	Description
key	String	Yes	Query-Arg	The custom match field. Valid values: File-Name, Url, Raw-Url, Request-Url, Http-Method, Directory, Query, Raw-Header, Body, Extension, Union-Args, All-Data, All-Keys, Multipart-Keys, Multipart-Values, Header-Keys, Header-Values, Post-Arg-Keys, Post-Arg-Values, Query-Arg-Keys, Query-Arg-Values, Cookie-Keys, Cookie-Values, Header, Query-Arg, Post-Arg, and Multipart.
subKey	String	No	query-test	The custom sub-match field. Important Sub-match fields are supported only if the match field is Header, Query-Arg, Post-Arg, or Multipart.
opValue	String	Yes	contain	The logical operator. Valid values: regex, prefix-match, suffix-match, eq, and contain.
values	String	Yes	abc	The match content. Separate multiple values with commas (,).

Example

{
  "name": "ruleTest",
  "detectType": "sqli",
  "riskLevel": "strict",
  "condition": [{"key": "FileName","opValue": "eq","values": "test"}]
}

Address book (address_book)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	bookTest	The name of the address book. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
valueType	String	Yes	ip	The type of the address book. Valid value: - ip: an IP address book.
description	String	No	addressbookTest	The description of the address book.

Example

{
  "name": "bookTest",
  "valueType": "ip",
  "description": "addressbookTest"
}

Custom response rules (custom_response)

Parameters

Name	Type	Required	Example	Description
name	String	Yes	test	The name of the custom response rule. The name can be up to 255 characters in length and can contain letters, digits, underscores (_), periods (.), and hyphens (-).
action	String	Yes	block	The action of the protection rule. Valid values: - block: Block. - captcha: slider CAPTCHA.
responseCode	Integer	No	400	The specified response code. - This parameter is required for custom block page rules. - This parameter is not supported for custom slider CAPTCHA page rules. The default value is 200.
responseHeaders	Array	No	[{"key":"custom","value":"123"},{"key":"aaaa","value":"2223"}]	The list of custom response headers. This is a JSON string. key is the header field and value is the header value.
designType	String	No	custom	The type of the response configuration. This parameter is required only if you set action to captcha. Valid values: - custom: custom configuration. - preDefine: predefined configuration.
responseContent	String	No	helloworld	The content of the custom response. This parameter is required for custom slider CAPTCHA or block pages.
preDefineContent	Array	No	[{"language":"cn","title":"test","description":"desc","captchaColor":"#FFFF","showTraceId":false},{"language":"en","title":"titel","description":"desc","captchaColor":"#FFFF","showTraceId":false}]	The content of the predefined configuration. This parameter is required if you set designType to preDefine. Otherwise, it is not required. For more information, see Predefined parameters.

Predefined parameters

Name	Type	Required	Example	Description
language	String	Yes	en	The language configuration. Valid values: - en: English. - cn: Chinese.
icon	String	Yes	https://img.alicdn.com/imgextra/i1/O1CN01L12MaQ1ZwfYKk7Yrc_!!6000000003259-2-tps-900-594.png	The icon. The path must be accessible over the Internet.
title	String	Yes	test_title	The title of the custom slider CAPTCHA page.
description	String	Yes	For better experience, please slide to complete the verification process before accessing the web page.	The description of the custom slider CAPTCHA page.
captchaColor	String	Yes	#ff6a00	The color of the slider CAPTCHA.
showTraceId	boolean	Yes	true	Specifies whether to display the log ID. Valid values: - true: displays the log ID on the slider CAPTCHA page. - false: does not display the log ID on the slider CAPTCHA page.

Custom block page configuration example

{
  "name": "test",
  "action": "block",
  "responseContent": "helloworld",
  "responseCode": 401,
  "responseHeaders": [{"key":"t1","value":"v1"}],
}

Predefined slider CAPTCHA page configuration example

{
"name": "test",
"designType": "preDefine",
"action": "captcha",
"responseHeaders": [
    {
    "key": "Content-Type",
    "value": "text/html"
    }
],
"preDefineContent": [
    {
    "language": "en",
    "icon": "https://img.alicdn.com/imgextra/i1/O1CN01L12MaQ1ZwfYKk7Yrc_!!6000000003259-2-tps-900-594.png",
    "title": "Access Verification-custom",
    "description": "For better experience, please slide to complete the verification process before accessing the web page.",
    "captchaColor": "#ff6a00",
    "showTraceId": true
    }
]
}

Response elements

Element	Type	Description	Example
	object	Returns the object structure.
RequestId	string	The request ID.	26E46541-7AAB-5565-801D-F14DBDC5****
RuleIds	string	The IDs of the created protection rules, separated by commas (,).	22215,23354,462165

Examples

Success response

JSON format

{
  "RequestId": "26E46541-7AAB-5565-801D-F14DBDC5****",
  "RuleIds": "22215,23354,462165"
}

Error codes

HTTP status code	Error code	Error message	Description
400	Defense.Control.DefenseWhitelistBypassRuleNotExist	The whitelist protection rule does not exist.	The whitelist protection rule does not exist. Rule ID:%s.
400	Defense.Control.DefenseWhitelistConfigInvalid	The whitelist rule is misconfigured.	Error configuring whitelist rule: %s.
400	Defense.Control.DefenseBookTypeInvalid	The address book type is illegal.	The address book type is illegal.
400	Defense.Control.DefenseThreatIntelligenceConfigInvalid	Threat Intelligence Rule configuration error.	Threat Intelligence Rule configuration error. %s
400	Defense.Control.DefenseIpCountOversize	The number of IPs exceeds the limit.	The number of IPs exceeds the limit.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.