All Products
Document Center

Web Application Firewall:What is WAF?

Last Updated:May 08, 2024

Web Application Firewall (WAF) is a security solution that protects web applications from malicious traffic and attacks. WAF monitors all incoming traffic to web applications, compares incoming requests against preconfigured rules that identify malicious patterns or anomalies, and allows only legitimate traffic to pass through to the web applications. This helps ensure the business security and data security of the web applications.




Service configuration

WAF protects websites by monitoring and filtering HTTP and HTTPS traffic.

Web application protection

Protection against common web application attacks

  • Protection for web applications against the following common Open Web Application Security Project (OWASP) attacks: SQL injection attacks, cross-site scripting (XSS) attacks, webshell uploads, backdoor attacks, command injection attacks, illegal HTTP requests, common web server vulnerabilities, cross-site request forgery (CSRF) attacks, unauthorized access to core files, path traversals, and website scanning.

  • Hiding of origin IP addresses: WAF hides origin IP addresses. This prevents attackers from bypassing WAF to attack origin servers.

  • Regular and prompt patching of zero-day vulnerabilities: WAF provides patches at the earliest opportunity to protect websites.

  • User-friendly monitoring mode: You can enable this mode to monitor new website services. WAF sends an alert when suspicious traffic that matches specified protection rules is detected. WAF does not block the traffic due to the possibility of false positives.

Precise protection

  • WAF can parse HTTP data in common formats. The HTTP data includes header, form, multipart, JSON, and XML data.

  • WAF can decode data that is encoded by using the following methods: URL encoding, JavaScript Unicode encoding, HEX encoding, HTML entity encoding, Java serialization encoding, PHP serialization encoding, Base64 encoding, UTF-7 encoding, UTF-8 encoding, and nested encoding.

  • WAF can preprocess data to provide more fine-grained and accurate data sources for detection engines at the upper layer. The preprocessing mechanisms include space compression, comment pruning, and special character processing.

  • WAF can detect data in complex formats. WAF supports complex detection logic to prevent false positives caused by excessive detection operations. This helps reduce the false positive rate. WAF also supports adaptive decoding of data encoded in different formats to prevent bypassing.

Protection against HTTP flood attacks

  • WAF limits the frequency of requests from a specific IP address by using various methods, such as CAPTCHA verification and redirection for authentication.

  • To protect against a large number of slow HTTP attacks, WAF executes precise protection rules based on statistical data, such as the distribution of status codes, distribution of requested URLs, and identification of abnormal HTTP Referer headers and User-Agent characteristics.

  • WAF takes full advantage of Alibaba Cloud big data security solutions to build analysis models for threat intelligence and trusted access. The models can be used to identify malicious requests.

Fine-grained access control

  • In the WAF console, you can use a combination of different HTTP fields, such as the IP, URL, Referer, and User-Agent fields, to configure protection rules and implement fine-grained access control. You can also configure custom protection rules to provide protection in various scenarios, such as hotlink protection and website backend protection.

  • This module can be used together with other security modules, such as web security and HTTP flood protection, to build a multi-layer protection architecture. This way, WAF can differentiate between trusted and malicious traffic in a fine-grained manner.

Virtual patching

Before the patches for web application vulnerabilities are released or installed, you can adjust web protection rules to protect your services against new vulnerabilities.

Attack event management

WAF allows you to manage attack events based on statistical data, such as attack events, attack traffic, and attack scales.

Flexibility and reliability

  • Load balancing: WAF can provide services in cluster mode. WAF uses multiple servers to balance loads and supports different scheduling algorithms.

  • Smooth and elastic scaling: You can add servers to or remove servers from a cluster to adjust the WAF service capability based on your business requirements.

  • Elimination of single points of failure (SPOFs): If a WAF node fails or is being repaired, WAF can continue to provide services.

For more information, visit the product page of Web Application Firewall.




More than 10 years of web security experience

  • WAF is developed based on more than 10 years of web security experience within the Alibaba Group and provides the same security protection enjoyed by Tmall, Taobao, Alipay, and other well-known applications.

  • A professional security team provides security services for you.

  • WAF defends against known OWASP vulnerabilities and constantly fixes known vulnerabilities.

Protection against HTTP flood and crawler attacks

  • WAF mitigates HTTP flood attacks.

  • WAF defends against web crawlers to prevent excessive network resource consumption.

  • WAF detects and blocks malicious requests that may affect availability, compromise response latency, or consume excessive bandwidth, database, SMS, or API resources.

  • WAF allows you to configure custom protection rules for various business scenarios.

Integration with big data capabilities

  • WAF can defend against hundreds of millions of attacks every day.

  • WAF provides an IP address library that contains a large number of IP addresses.

  • WAF analyzes a wide range of real cases to obtain the patterns, methods, and signatures of various common network attacks.

  • WAF is continuously integrated with advanced technologies for big data analytics.

Ease of use and reliability

  • You can activate and configure WAF within 5 minutes.

  • You do not need to install software or hardware or adjust routing configurations.

  • Protection clusters are used to prevent SPOFs and redundancy.

  • WAF provides high traffic processing performance.


WAF is suitable for all users on and outside Alibaba Cloud. WAF helps protect web applications in various industries such as finance, e-commerce, online-to-offline (O2O), Internet Plus, gaming, public services, and insurance.


You can add domain names or cloud service instances to WAF. You cannot add IP addresses to WAF.

How to use WAF


For more information, see Get started with WAF 3.0.

Relationship between RASP and WAF

Runtime Application Self-Protection (RASP) is a security technology that is integrated within the application itself and provides protection by monitoring the behavior and data flow of the application at runtime. For more information, see Application protection.

RASP and WAF are complementary technologies that have their own advantages in specific business and security protection scenarios. For example, RASP is more suitable for scenarios that involve encrypted traffic and the exploitation of unknown vulnerabilities such as zero-day vulnerabilities. WAF is more suitable for threat prevention, such as network access control, region blacklist, HTTP flood protection, and crawler attack defense. To enhance the security of your applications, we recommend that you use RASP together with WAF to reduce the risk of application intrusion, data leaks, and service unavailability. RASP is integrated within the application itself and provides protection at runtime, while WAF is deployed on the network perimeter and provides protection by inspecting web traffic. RASP and WAF technologies can complement each other and provide multiple layers of security for web applications.

Compliance certificates

WAF passed the following authoritative certifications: ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR certification, Cybersecurity in China Multi-level Protection Scheme (MLPS 2.0) Level III, Service Organization Control (SOC) 1, 2, and 3, Cloud Computing Compliance Controls Catalog (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Providers Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS).