How to configure API security policies - Web Application Firewall

API Security lets you configure built-in and custom policies across nine areas: risk detection, security events, sensitive data, authentication credentials, business purposes, allowlists, lifecycle management, log subscriptions, and effective objects. These policies improve detection accuracy, reduce false positives, and help you respond to threats against your API assets.

Key concepts

Concept	Description
Risk	A vulnerability in an API caused by defects in development, management, or configuration. A risk does not mean an attack has occurred.
Security event	An abnormal call or attack on an API, such as a brute-force attack on a login API or a message flooding attack on an SMS API.

1. Risk detection configuration

Built-in risk detection policies cover common vulnerability categories. For each built-in policy, you can enable or disable it and set its risk level to Low, Medium, or High.

In addition to built-in policies, you can create up to 20 custom risk detection policies.

Create a custom risk detection policy

On the API Security page, go to Policy Configurations > Risk Detection Configurations.
In the Custom Policy section on the left, click New.

In the panel that appears, configure the following parameters.

Parameter	Description
Risk status	Set the policy status. The default value is On.
Risk name	Set a name for the custom risk. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	Set the recommended action for the custom risk policy based on your business needs.
Risk level	Set the risk level. Valid values: Low, Medium, and High.
Check configurations	Set the detection conditions. You can add up to 10 conditions.

Click OK.

Match content for Risk Detection Configurations is case-sensitive. You can enter up to 50 values per field. Press Enter after each value.

Detection condition reference

The following table lists all supported match fields and their logical operators.

Match field	Sub-condition	Logical operators	Match content
Domain Name	Not supported	Is one of / Contains no value / Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.
API	Not supported	Is one of / Is not one of / Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.
Request Method	Not supported	Is one of (exact match) / Is not one of (exact match)	Select one or more methods: GET, POST, DELETE, PUT.
User-Agent	Not supported	Can be one of / Contains no value / Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.
Referer	Not supported	Contains one or more values / Contains no value / Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.
Communication Protocol	Not supported	Equals	Select HTTP or HTTPS.
Request Content-Type	Not supported	Is one of / Contains no value	Enter up to 50 values. Press Enter after each value.
Request Length	Not supported	Equals / Is less than / Is greater than	Enter an integer from 0 to 8192.
Response Content-Type	Not supported	Is one of / No value	Enter up to 50 values. Press Enter after each value.
Response Length	Not supported	Equals / Is less than / Is greater than	Enter an integer from 0 to 8192.
HTTP Status Code	Not supported	Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.
Request Header	Custom Header	Exists / Does not exist / Length is / Length is less than / Length is greater than / Is one of / Contains no value	—
Cookie Parameter	Custom Cookie-Exact	Exists / Does not exist / Length is / Length is less than / Length is greater than / Is one of / Contains no value	—
GET Parameter	Custom Parameter	Exists / Does not exist / Length is / Length is less than / Length is greater than / Is one of / Is not one of	—
POST Parameter	Custom Post-Arg	Exists / Does not exist / Length is / Length is less than / Length is greater than / Contains one or more values / Is not one of	—
Response Header	Response Header	Exists / Does not exist / Length is / Length is less than / Length is greater than / Is one of / Contains no value	—
Response Parameter	Response Parameter	Exists / Does not exist / Length is / Length is less than / Length is greater than / Is one of / Contains no value	—
Purpose	Not supported	Is one of / Contains no value	Select one or more business purposes. For available types, see How API Security classifies API business purposes.
Service Object	Not supported	Contains any of / Contains no value	Select one or more service objects. For available types, see How API Security classifies API service objects.
Authentication	Not supported	Is	YES or NO
Request Sensitive Data Type	Not supported	Contains any of / Contains no value / Number of types is greater than	Select one or more sensitive data types. For the "number of types is greater than" condition, enter an integer from 0 to 8192.
Sensitivity Level of Request Sensitive Data	Not supported	Contains any of / Contains no value	Select one or more levels from S1 to S4.
Response Sensitive Data Type	Not supported	Contains any of / Is not one of / Number of types is greater than	Select one or more sensitive data types. For the "number of types is greater than" condition, enter an integer from 0 to 8192.
Sensitivity Level of Response Sensitive Data	Not supported	Contains any of / Is not one of	Select one or more levels from S1 to S4.
Response Sensitive Data	Select one or more response sensitive data types.	Count is greater than	Enter an integer from 0 to 8192.
Source Location	Not supported	Equals	CN / NOT-CN
IP	Not supported	Belongs to / Does not belong to	Enter an IP address or CIDR block (for example, 1.1.X.X/24). Regular expressions are not supported. Enter up to 50 values, separated by commas or Enter.
Account (security events only)	Not supported	Is one of (exact match) / Is not one of (exact match)	Enter up to 50 values. Press Enter after each value.

2. Security event configuration

Built-in security event policies detect attacks based on IP address and account dimensions. When a built-in policy triggers an alert, subsequent attacks of the same type update the attack time of the original alert rather than generating a new alert. The alert level may change based on factors such as attack volume.

Built-in policies are read-only. You cannot edit or delete them.

In addition to built-in policies, you can create up to 10 custom security event policies.

Create a custom security event policy

On the API Security page, go to Policy Configurations > Security Event Configurations.
In the Custom Policy section on the left, click New.

In the panel that appears, configure the following parameters.

Parameter	Description
Event status	Set the policy status. The default value is On.
Event name	Set a name for the custom event. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	Set the recommended action based on your business needs.
Event level	Set the risk level. Valid values: Low, Medium, and High.
Match condition	Set the detection conditions. You can add up to 10 conditions. If you define multiple conditions, a rule is triggered only when all conditions are met.
Rate limiting	Set Statistical Object to IP or Account. Set Statistical Period in minutes, with a maximum of 15 minutes. Set Requests to a positive integer.
Data statistics	Set statistical conditions. You can add up to 10 conditions.

Click OK.

Match content for Security Event Configurations is case-sensitive. You can enter up to 50 values per field. Press Enter after each value.

For match condition fields and operators, see the detection condition reference in the risk detection section.

Data statistics condition reference

Match field	Sub-condition	Logical operators	Match content
Status Code Statistics	Status code (integer from 100 to 600)	Value greater than	Enter an integer from 0 to 8192.
Request Header	Custom Header	Distinct less than / Distinct equals / Distinct greater than	Enter an integer from 0 to 8192.
Cookie Parameter	Custom Cookie-Exact	Distinct less than / Distinct equals / Distinct greater than	Enter an integer from 0 to 8192.
GET Parameter	Custom Parameter	Distinct less than / Distinct equals / Distinct greater than	Enter an integer from 0 to 8192.
POST Parameter	Custom Post-Arg	Distinct less than / Distinct equals / Distinct greater than	Enter an integer from 0 to 8192.
Response Sensitive Data Type	Select one or more response sensitive data types.	Distinct less than / Distinct equals / Distinct greater than	Enter an integer from 0 to 8192.
Sensitivity Level of Response Sensitive Data	Select one or more response sensitive data levels.	Distinct greater than	Enter an integer from 0 to 8192.
Source IP Count	Set the value for source IP count statistics.	Value greater than	Enter an integer from 0 to 8192.

3. Sensitive data configuration

On the Sensitive Data-related Configurations tab of the Policy Configurations page, you can search, filter, and view sensitive data policies.

Data masking

The De-identification Display switch controls whether sensitive data is masked in the console. It is disabled by default.

When enabled, the following data is masked:

In Risk Details and API Details: sensitive data in all request and response sample fields is replaced with a placeholder such as {{Phone}}.
In Event Details: request and response data samples that contain sensitive data are masked as {}.
In sample information: Request Cookie is masked as {{Cookie}}, a Request Header containing a token is masked as {{XXXToken}}, and Response Set-Cookie is masked as {{SetCookie}}.

Masking applies as follows:

Risk Details and API Details: applies only to new request and response data samples.
Event Details: applies to both new and existing request and response data samples.

Built-in policies

Built-in sensitive data policies are read-only. You can enable or disable them, but cannot edit or delete them.

Create a custom sensitive data policy

If your business uses custom sensitive data types, create custom detection rules. You can create up to 20 custom policies.

On the API Security page, go to Policy Configuration > Sensitive Data-related Configurations.
Click Create Policy.

In the panel that appears, configure the following parameters. You can use Basic mode or Expert mode.

Parameter	Description
Name	Set a name for the rule. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Mode	Basic: Provides a simple interface. Set Characters (one or more character types: digits, uppercase letters, lowercase letters) and Length (range: 6–64, integer start and end values). Expert: Supports regular expressions. Enter a regular expression for detection. To avoid false positives, make sure the expression matches at least 6 characters.
Sensitivity level	Set the sensitivity level. Valid values: S1, S2, S3, and S4. For details, see What sensitive data can API Security detect.

Click OK.

4. Authentication credential configuration

If your APIs use non-standard fields or fields with weak naming patterns (such as all-numeric names) for authentication, built-in credential detection may miss them. Create custom authentication credential policies to specify the parameter names that carry credentials. This improves the accuracy of unauthenticated risk detection.

Create a custom authentication credential policy

On the API Security page, go to Policy Configuration > Authentication Credential Configurations.
Click Create Policy.

Configure the following parameters, then click OK.

Parameter	Description
Name	Set a name for the policy. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Match condition	Each condition consists of a Match Field, a Logical Operator, and Match Content. Add up to 10 conditions, including at least one for Request Header, Request Cookie, Request Query, or Request Body. If you define multiple conditions, a rule is triggered only when all conditions are met.

Match content for Authentication Credential Configurations is case-sensitive. You can enter up to 50 values per field. Press Enter after each value.

Match condition reference

Match field	Sub-condition	Logical operators
Domain Name	Not supported	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value
API	Not supported	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value
Request Header	Custom Header	Exists / Length equal to / Length less than / Length greater than
Request Cookie	Custom Cookie-Exact	Exists / Length equal to / Length less than / Length greater than
Request Query	Custom Parameter	Exists / Length equal to / Length less than / Length greater than
Request Body	Custom Post-Arg	Exists / Length equal to / Length less than / Length greater than

5. Business purpose configuration

Business purpose policies classify APIs by their function—for example, login, registration, SMS sending, or file download. Accurate classification improves detection in business-specific scenarios.

API Security provides two types of business purpose policies:

Built-in policies: Cover common scenarios such as data updates, data sharing, text message sending, and information sending. You can enable or disable built-in policies, but cannot modify or delete them.
Custom policies: Let you define custom URL and parameter name patterns for scenarios not covered by built-in policies.

Create a custom business purpose policy

On the API Security page, go to Policy Configuration > Business Purpose.
Click the Custom Policy tab, then click Create Policy.
Configure the match conditions, then click OK.

Match content for Business Purpose is case-sensitive. You can enter up to 50 values per field. Press Enter after each value.

Match condition reference

Match field	Logical operators	Match content
Domain Name	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.
API	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.
Request Header Parameter Name	Contains one of multiple values / Equals one of multiple values	Enter up to 50 values. Press Enter after each value.
Request Cookie Parameter Name	Contains one of multiple values / Equals one of multiple values	Enter up to 50 values. Press Enter after each value.
Request Query Parameter Name	Contains one of multiple values / Equals one of multiple values	Enter up to 50 values. Press Enter after each value.
Request Body Parameter Name	Contains one of multiple values / Equals one of multiple values	Enter up to 50 values. Press Enter after each value.
Request Sensitive Data Type	Equals one of multiple values / Does not equal any value	Select one or more request sensitive data types.
Response Sensitive Data Type	Equals one of multiple values / Does not equal any value	Select one or more response sensitive data types.
Response Parameter Name	Contains one of multiple values / Equals one of multiple values	Enter up to 50 values. Press Enter after each value.

6. Allowlist configuration

Allowlists let you suppress alerts from known-safe sources—for example, traffic from your office network's egress IP address. You can create allowlists for risk detection and security events separately.

Create an allowlist policy

On the API Security page, go to Policy Configuration > Configure Whitelist.
Click Create Policy, enter a name, and select the feature type: Risk Detection or Security Events.
Set match conditions based on the feature type, then select the risk or event types to ignore, and click OK.

You can add up to 10 match conditions. Match conditions for Configure Whitelist are case-sensitive. You can select multiple built-in and custom types to ignore.

Risk detection allowlist match conditions

Match field	Logical operators	Match content
Domain Name	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.
API	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.

Security event allowlist match conditions

Match field	Logical operators	Match content
Domain Name	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.
API	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.
IP	Belongs to / Does not belong to	Enter an IP address or CIDR block (for example, 1.1.X.X/24). Regular expressions are not supported. Enter up to 50 values, separated by commas or Enter.
Account	Contains one of multiple values / Does not contain any value / Equals one of multiple values / Does not equal any value	Enter up to 50 values. Press Enter after each value.

7. Lifecycle management

API lifecycle management lets you define what counts as an inactive API, so you can identify and act on APIs that are no longer actively used. Inactive APIs can be exploited if left unaddressed.

Configure inactive API criteria

On the API Security page, go to Policy Configuration > Lifecycle Management.
Set the criteria for inactive APIs, then click OK.
- Built-in model: An API is considered inactive if it has not been accessed or its access volume has dropped significantly over the past 8 days.
- Custom: Set the daily access volume threshold and duration (up to 31 days). An API is considered inactive if its daily access count stays below the specified value for the entire duration.

Important

If an asset's Last Active Time exceeds 30 days, the system automatically deletes the asset along with its associated risk data and security event records.

8. Log subscription

Log subscription delivers API Security logs to a Logstore in Simple Log Service (SLS), where you can centrally manage, query, and analyze them.

Three log types are available: asset information, risk information, and attack event information.

WAF instances in the Chinese mainland can deliver logs only to SLS Logstores in the Chinese mainland. WAF instances outside the Chinese mainland can deliver logs only to SLS Logstores outside the Chinese mainland. Cross-region log delivery between the Chinese mainland and other regions is not supported.

Prerequisites

Before you begin, make sure you have:

Enabled the service-linked role for WAF (skip this step if you already granted this authorization when enabling Simple Log Service for WAF). For details, see Service-linked Role.
Created a Project and Logstore in the Simple Log Service console to receive the logs.

The log subscription feature does not support Logstores automatically created by SLS or Logstores named waf-logstore, wafng-logstore, or wafnew-logstore.

Configure a log subscription task

On the API Security page, go to Policy Configuration > Log Subscription.
Select the log type, then click Configure.
Select the Region, Project name, and Logstore name, then click OK. After configuration, logs are delivered to the Logstore when trigger conditions are met. To query and analyze logs in SLS, enable indexing as prompted. For details, see Create indexes.
To disable a log subscription task and avoid ongoing Logstore charges, disable the task on the Log Subscription tab and delete the corresponding Logstore. For details, see How do I disable Simple Log Service or stop billing?.

Important

Creating cloud resources and enabling indexing in Simple Log Service may incur additional fees billed by Simple Log Service. For pricing details, see Billing overview of Simple Log Service.
Charges may still apply after you create a Project or Logstore even if no log subscription task is enabled. Delete unused Logstores promptly to avoid extra charges. For details, see Why am I charged for creating only a Project and a Logstore?.

Log trigger conditions and fields

Asset information logs

Trigger conditions:

Delivered immediately when a new API asset is added.
If no new API assets are added, delivered every hour by default.

Fields:

Field name	Description	Format	Example
user_id	Customer UID	string	123456
service_host	Domain name	string	api.aliyun.com
api_format	API path	string	/api/v1/getuserbyid/${param}
request_method	Request method	string	GET
api_tag	Business purpose	object []	['QueryInfo']
api_type	Service object	object []	['PublicAPI']
auth_key	Authentication field	object []	['id_token', 'access_token']
api_status	Lifecycle	string	NewbornInterface
api_sensitive_level	API sensitivity level	string	L1
api_sensitive_req	Request sensitive data type	object []	['1014', '1017', '1002']
api_sensitive_res	Response sensitive data type	object []	['1009', '1013', '1003', '1014', '1002']
farthest_ts	First discovered time	long	1713237135
lastest_ts	Last active time	long	1716452318
abnormal_num	Number of risks	integer	1
event_num	Number of events	integer	2
struct_baseline	Parameter structure	object	['{"key":"Trace-Id","location":"request_header","format":"string","required":"true"}', ...]
matched_hosts	Protected object	object []	['*.aliyun.com-waf']
hosts	Domain name	object []	['api.aliyun.com']
server_port	Port	object []	['443']
server_location	Country of origin server	object []	['CN']
api_id	Unique API ID	string	af418cb31036015fddea71b48d06aa4b
log_type	Log type	string	asset
request_header	Request Header	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	Request URL parameter	string	?token=7464f593205896e23b1286ba7532dcff
request_body	Request Body	string	xxx=1
response_header	Response Header	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	Response Body	string	xxxx
example_timestamp	Sample timestamp	long	1718546694
example_traceid	Sample trace ID	string	784e2ca717213678365778292e58de

Risk information logs

Trigger condition: Delivered when new risk information is detected.

Fields:

Field name	Description	Format	Example
user_id	Customer UID	string	123456
service_host	Domain name	string	api.aliyun.com
api_format	API path	string	/api/v1/login
request_method	Request method	string	POST
api_tag	Business purpose	object []	['LoginAPI']
abnormal_tag	Risk name	string	Risk_DefaultPasswd
abnormal_type	Risk type (Custom/Built-in)	string	default
abnormal_level	Risk level	string	medium
abnormal_discover_ts	Risk discovery time	long	1716343432
abnormal_info	Risk information	object	{'default_passwd':'aliyun123'}
api_id	Unique API ID	string	2c0f97e10b586208039e60671150bd9b
abnormal_id	Unique risk ID	string	8cfccc0e8c3d41aa1221e94a2fdeffe3
log_type	Log type	string	risk
matched_hosts	Protected object	object []	['*.aliyun.com-waf']
request_header	Request Header	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	Request URL parameter	string	?token=7464f593205896e23b1286ba7532dcff
request_body	Request Body	string	xxx=1
response_header	Response Header	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	Response Body	string	xxxx
example_timestamp	Sample timestamp	long	1718546694
example_traceid	Sample trace ID	string	784e2ca717213678365778****58de

Attack event information logs

Trigger conditions:

Delivered immediately when a new attack event is detected.
If the attack continues, logs are delivered at 10-minute intervals.

Fields:

Field name	Description	Format	Example
user_id	Customer UID	string	123456
service_host	Domain name	string	api.aliyun.com
matched_host	Protected object	string	api.aliyun.com-waf
host	Domain name	string	api.aliyun.com
api_format	API path	string	/api/admin/login
request_method	Request method	string	POST
api_tag	Business purpose	object []	['AdminService', 'LoginService']
event_tag	Event name	string	Event_LoginCollision
event_origin	Event type (Custom/Built-in)	string	default
event_level	Event level	string	high
start_ts	Attack start time	long	1713886210
end_ts	Attack end time	long	1713887817
attack_cnt	Total attacks	integer	147
attack_ip_info	Attacker IP information	object []	[{'ip':'103.44.XX.XXX', 'country_id':'HK', 'region_id':'-', 'cnt':'147'}]
api_id	Unique API ID	string	4dfc73b37d2d645fe2ca7f45c08f7398
event_id	Event ID	string	f09f6802e9b57a58ebb9f1bea212027e
log_type	Log type	string	event
request_data	Request data sample	JSON	{'1002':['John Doe','Jane Smith','Chen Liu'],'1004':['13200000001','15200000002']}
response_data	Response data sample	JSON	{'postarg.userId':['lisi111','zhangsan123'],'postarg.corpId':['wx1111111'],'postarg.externalUserid':['wm7_KpDgOm6Bm-BGA']}

Log field value reference

Use this reference when analyzing logs or correlating field values with the WAF console display.

Lifecycle (api_status)

Use api_status to filter for inactive APIs in SLS alert rules.

Field value	Description
NewbornInterface	New
OfflineInterface	Inactive
normal	Normal

Service object (api_type)

Field value	Description
PublicAPI	Public service
ThirdpartAPI	Third-party cooperation
InternalAPI	Internal office

Business purpose (api_tag)

Use api_tag to filter for specific API categories in SLS queries and alert rules.

Field value	Description
LoginByUserPasswd	Log on with username and password
LoginByPhoneCode	Log on with phone verification code
LoginByMailCode	Log on with email verification code
WeChatLogin	Log on with WeChat
AliPayLogin	Log on with Alipay
OAuthLogin	OAuth authentication
OIDCLogin	OIDC authentication
SAMLLogin	SAML authentication
SSOLogin	SSO authentication
LoginAPI	Logon service
LogoutAPI	Log off
RegisterByUserPasswd	Register with username and password
RegisterByPhoneCode	Register with phone verification code
RegisterByMailCode	Register with email verification code
WeChatRegister	Register with WeChat
AliPayRegister	Register with Alipay
RegisterAPI	Registration service
SendSMS	Send text message
SendMail	Send email
ResetPasswd	Reset password
CheckVerifyCode	Verify verification code
CheckStatus	Check status
QueryOrder	Query order
ExportOrder	Export order
UpdateOrder	Update order
PayOrder	Pay order
QueryLog	Log query
UploadLog	Log upload
DownloadLog	Log export
LogService	Log service
GraphQL	GraphQL
SqlService	SQL service
FileUpload	File upload
FileDownload	File download
FileService	File service
AdminService	Backend management
DashBoard	Dashboard
MonitorService	Monitoring service
SendInfo	Send information
CheckInfo	Check data
QueryInfo	Query data
UploadInfo	Upload data
DownloadInfo	Download data
AddInfo	Add data
EditInfo	Edit data
UpdateInfo	Update data
ShareInfo	Share data
DeleteInfo	Delete data
SyncInfo	Synchronize data
SubmitInfo	Submit data
CopyInfo	Copy data
AuditInfo	Audit data
SaveInfo	Save data
CancelOp	Cancel
StartOp	Start
BatchOp	Batch processing
PauseOp	Pause
BindOp	Bind
DebugOp	Debug
SetOp	Settings
ShutDown	Shutdown

Request/response sensitive data type (api_sensitive_req, api_sensitive_res)

Use these codes to identify the types of sensitive data detected in request and response payloads.

Field value	Description
1000	ID card (the Chinese mainland)
1001	Debit card
1002	Name (Simplified Chinese)
1003	Address (the Chinese mainland)
1004	Mobile number (the Chinese mainland)
1005	Mailbox
1006	Passport number (the Chinese mainland)
1007	Exit-Entry Permit for Hong Kong and Macao
1008	License plate number (the Chinese mainland)
1009	Phone number (the Chinese mainland)
1010	Officer ID card
1011	Gender
1012	Ethnicity
1013	Province (the Chinese mainland)
1014	City (the Chinese mainland)
1015	ID card (Hong Kong (China))
1016	Name (Traditional Chinese)
1017	Name (English)
1018	ID card (Malaysia)
1019	ID card (Singapore)
1020	Credit or Debit Card
1022	SWIFT code
1023	SSN
1024	Phone number (United States)
1025	Religious belief
2000	IP address
2001	MAC address
2002	Java Database Connectivity (JDBC) connection string
2003	PEM certificate
2004	Private key
2005	AccessKey ID
2006	AccessKeySecret
2007	IPv6 address
2009	Date
2010	IMEI
2011	Mobile Equipment Identifier (MEID)
2013	Linux passwd file
2014	Linux shadow file
2015	URL
4000	Business license number
4001	Tax registration number
4002	Organization code
4003	Unified Social Credit Code
4004	Vehicle Identification Number (VIN)

Risk type (risk)

Use abnormal_tag to filter for specific risk types in SLS alert rules.

Field value	Description
RiskType_Specification	Security specification
Risk_UnsafeHttpMethod	Unsafe HTTP method
Risk_WeakSignAlgorithm	Weak JWT signature algorithm
Risk_UrlParam	Parameter is a URL
RiskType_Account	Account security
Risk_PasswdUnencrypt	Password transmitted in plaintext
Risk_WeakPasswd	Weak password allowed
Risk_InternalWeakPasswd	Weak password in internal application
Risk_DefaultPasswd	Default password exists
Risk_PasswdResponse	Returns plaintext password
Risk_PasswdCookie	Password stored in cookie
Risk_LoginRestrict	Logon API lacks restrictions
Risk_LoginPrompt	Unreasonable logon failure prompt
Risk_PasswdUrl	Username and password transmitted in URL
RiskType_Control	Access control
Risk_InternalAPI	Internal application accessible from the Internet
Risk_SourceRestrict	API does not restrict access source
Risk_ClientRestrict	API does not restrict access tool
Risk_SpeedRestrict	API does not restrict access rate
RiskType_Permission	Permission management
Risk_WeakToken	Weak authentication credential
Risk_UnauthSensitive	Sensitive API not authenticated
Risk_UnauthInternalAPI	Internal API allows unauthenticated access
Risk_TokenUrl	Credential information transmitted in URL
Risk_AkLeak	AccessKey information leak
RiskType_Sensitive	Data protection
Risk_SensitiveTypeExcessive	Returns excessive types of sensitive data
Risk_SensitiveNumExcessive	Returns excessive amount of sensitive data
Risk_InvalidDesensitize	Sensitive data not effectively masked
Risk_ServerInfoLeak	Server sensitive information leak
Risk_InternalIPLeak	Internal network IP address leak
Risk_SensitiveURL	Sensitive data transmitted in URL
RiskType_Design	API design
Risk_ParamTraverse	Request parameter can be traversed
Risk_PageSize	Returned data volume can be modified
Risk_SqlAPI	Database query
Risk_RceAPI	Command execution API
Risk_SmsContent	Arbitrary text message content sending
Risk_MailContent	Arbitrary email content sending
Risk_SmsVerifyCodeLeak	Text message verification code leak
Risk_MailVerifyCodeLeak	Email verification code leak
Risk_FileDownload	Specified file download
Risk_ExceptionLeak	Application exception information leak
Risk_ExceptionSql	Database exception information leak

Event type (event)

Use event_tag to identify the type of attack in event logs and build SLS alert rules for specific attack patterns.

Field value	Description
Event_AbnormalFrequency	Abnormally high-frequency access
Event_ExceptionIPInvoke	Abnormal IP accessing internal API
Event_ExceptionRegionInvoke	Abnormal region accessing internal API
Event_ExceptionClientInvoke	Access using abnormal tool
Event_ExceptionTimeInvoke	Access during abnormal time period
Event_AbnormalParamValue	Access with abnormal parameter value
Event_InternalLoginWeakPasswd	Internal application logon with weak password
Event_LoginAccountBruteForce	Brute-force username
Event_LoginPasswdBruteForce	Brute-force logon password
Event_LoginCollision	Dictionary attack
Event_MobileVerifyBruteForce	Brute-force text message verification code
Event_MailVerifyBruteForce	Brute-force email verification code
Event_AbnormalRegister	Batch registration
Event_SMSInterfaceAbuse	Malicious consumption of text message resources
Event_EmailInterfaceAbuse	Malicious consumption of email resources
Event_AbnormalExport	Batch download
Event_DataTraverse	Traversing and scraping API data
Event_WebAttackAPI	Malicious attack on API
Event_ObtainSensitiveUnauthorized	Unauthorized access to sensitive data
Event_ObtainSensitiveExcessive	Obtaining large amounts of sensitive data
Event_CrossborderIPSensitiveExcessive	Overseas IP obtaining large amounts of sensitive data
Event_ExceptionResponse	API returns abnormal error message
Event_ExceptionSql	API returns database error message
Event_SystemInfoResponse	API returns system sensitive information
Event_AbnormalStatus	Abnormal API response status

9. Effective object configuration

Effective object configuration controls which detection policies apply to which protected objects.

Subscription WAF

API Security provides three switches at the protected object or protected object group level:

Basic Detection: Enabled by default. Controls whether all built-in and custom detection policies are active.
Compliance Check: Disabled by default. Can be enabled only after Basic Detection is on. Controls whether the Compliance Check feature is active.
Tracing and Auditing: Disabled by default. Can be enabled only after Basic Detection is on. Controls whether the Tracing and Auditing feature is active.

Pay-as-you-go WAF

API Security provides one switch at the protected object or protected object group level:

Basic Detection: Controls whether all built-in and custom detection policies are active. To disable API Security entirely, turn off Basic Detection for all protected objects and protected object groups.