Account security uses real-time risk scoring to block credential stuffing, brute-force attacks, and bot registration. It extracts identity credentials from HTTP request fields (Query, Body, Header, Cookie) to build unified user profiles. Without manual rule configuration, the feature automatically protects registration and logon scenarios.
Advantages
-
Intelligent scoring: Built-in rules calculate real-time risk scores from device, network, and account data to quantify threats and automate security decisions.
-
Bot detection:
-
Interaction anomaly detection: Detects millisecond-level input and high-frequency copy-paste typical of automated scripts.
-
Fingerprint forgery detection: Detects forged traffic where the User-Agent conflicts with actual environment parameters.
-
Resource abuse protection: Blocks flood requests from a single device or IP linked to many accounts.
-
-
Profile deviation detection:
-
Environment oscillation detection: Detects proxy pool attacks that rapidly switch IP addresses, User-Agents, or geographic locations.
-
Baseline deviation analysis: Flags anomalous logons by comparing current activity against the user's historical profile, such as unfamiliar devices, networks, or behavior patterns that diverge from group norms.
-
-
Automated bot registration prevention: Detects bot registrations, fake emails, and cloud network traits to block malicious account creation and protect platform user quality.
Apply for public preview
Account security is in public preview.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the left-side navigation pane, select , and then click Request Public Preview.
-
Complete and submit the application form. A staff member will follow up.
Enable account security
Prerequisites
Verify the following before you begin:
-
Your web business is connected to WAF as a protected object. If your business is not yet connected, see Connect to WAF.
-
(Recommended) Configure Bot management and integrate the SDK for your protected objects. The account security feature depends on the SDK module. Without the Bot Management SDK, detection capabilities may be reduced.
Step 1: Create an API asset
Create an API asset and configure identity credential extraction rules.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance. In the left-side navigation pane, select . On the API Asset Management tab, click Add Asset.
-
Configure basic API information:
-
API Name: Enter a descriptive name for the asset.
-
Domain Name and URL Path: Enter the domain and path for account registration or logon. For example, for
https://example.com/login:-
Domain Name:
example.com -
URL Path:
/login
NoteTo configure multiple interfaces on the same protected object, repeat the Add Asset step for each interface.
-
-
HTTP Request Method: Supported methods are POST, GET, and PUT.
-
-
Set the API purpose. Supported scenarios: Registration and Logon. Registration supports single-step registration only.
Registration
Configure extraction locations for the Phone Number, Username, and Email fields. WAF extracts from query parameters, cookie names, body parameters, and headers.
When you select Can Be Used for Logon, WAF uses the selected fields (email, phone, or username) as identity identifiers to link different logon credentials to the same user.
Logon
Configure the extraction location for the Account field. WAF extracts from query parameters, cookie names, body parameters, and headers.
-
Configure success and failure conditions: In the Success Conditions and Failure Conditions sections, define rules to determine request outcomes based on HTTP Status Code and Response Body.
Click Add Condition to add conditions. All conditions use AND logic.
-
Associate with Protected Object: Select a protected object already connected to WAF.
Step 2: Configure a protection policy
Configure a protection policy for the API asset.
-
In the left-side navigation pane, select . On the Policy Configuration tab, click Create Template.
-
Specify a Template Name and Template Description.
-
Configure Risk Level Policy Configuration:
-
In the Match Condition section, specify request characteristics to match. Up to five conditions are supported, evaluated with AND logic.
-
In the Risk Score Threshold section, define score ranges for each risk level and the corresponding Rule Action. Available Rule Action options:
Parameter
Description
JavaScript Validation
WAF returns JavaScript verification to the client. Standard browsers execute it automatically. On success, WAF allows all client requests for 30 minutes (default). On failure, requests are blocked.
Block
Blocks matching requests and returns a block page.
Log
Logs matching requests without blocking them. Use Log during testing to analyze WAF logs and verify no false positives before switching to another action.
CAPTCHA
WAF returns a slider verification page. On success, WAF allows all client requests for 30 minutes (default). On failure, requests are blocked.
Strict CAPTCHA
WAF returns a slider verification page. The client must pass verification for every matching request.
Origin Custom Header
WAF adds a custom header with match details (rule type, rule ID, account, risk score) to requests forwarded to the origin server for backend risk control.
NoteWhen Rule Action is Block, CAPTCHA, or Strict CAPTCHA, WAF returns the default response page. Use Custom Response to customize it.
-
-
Set effective scope: In the Protected Assets section, select the API asset created in Step 1 as the policy target.
What to do next
Query matched requests in Protection Logs.
Manage assets and policies
Manage API assets
-
View assets: On the API Asset Management tab, view all created assets. Search by protected object, API asset, or API name.
-
Edit an asset: Find the asset and click Edit in the Actions column to modify the API purpose and request conditions.
-
Delete an asset: Find the asset and click Delete in the Actions column. The asset is no longer protected after deletion.
Manage protection policies
-
View policies: On the Policy Configuration tab, view all created policies. Search by asset, protection rule ID, or template name.
-
Edit a policy: Find the policy and click Edit in the Actions column. Use the Status column to enable or disable the policy.
-
Clone a policy: Find the policy and click Copy in the Actions column.
-
Delete a policy: Find the policy and click Delete in the Actions column. Associated assets are no longer protected after deletion.