After you add your website to Web Application Firewall (WAF), you can configure data leakage prevention rules. These rules filter sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words, from server responses. WAF can mask the sensitive information or return a default error response page. This topic describes how to create a data leakage prevention template and add protection rules to the template.
Limits
Protected objects in cloud native mode (ALB, MSE, FC) do not support this feature.
Prerequisites
A WAF 3.0 instance is purchased. For more information, see Activate a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Step 1: Create a data leakage prevention template
Data leakage prevention rules do not have a default protection template. To enable data leakage prevention, you must create a new protection template and add rules to it.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Data Leakage Prevention section of the Core Web Protection page, click Create Template.
In the Create Template - Data Leakage Prevention panel, configure the parameters for the template and click OK.
Configuration Item
Description
Template Name
Enter a name for the template.
The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration
You can click Create Rule to create a data leakage prevention rule for the current template. You can also skip this setting and create a rule for the template after the template is created. For more information, see Step 2: Add a data leakage prevention rule to a template.
Apply To
From the added protected objects and object groups, select the Protected Objects and Protected Object Groups to which you want to apply the template.
A protected object or object group can be associated with only one template in the current protection module. For more information about how to add protected objects and object groups, see Configure protected objects and protected object groups.
By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:
View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to create a protection rule for the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the
icon to the left of the template name to view the protection rules in the template.
Step 2: Add a data leakage prevention rule to a template
A data leakage prevention template takes effect only after you add protection rules to it. If you added rules when you created the template, you can skip this step.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the Data Leakage Prevention section, find the protection template to which you want to add a rule, expand the template, and then click Create Rule in the Actions column.
In the Create Rule dialog box, configure the parameters for the rule and click OK.
Configuration Item
Description
Rule Name
Enter a name for the rule.
The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition
Defines the type of sensitive information to detect in the response. Valid values:
Status Code: 400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405~499, and 505~599.
Sensitive Info: ID Card Numbers, Credit Card Number, Mobile Phone Number, and Default Sensitive Words.
ImportantThe data leakage prevention feature currently supports only data formats used in the Chinese mainland, such as ID card numbers, phone numbers, and bank card numbers. It does not support data formats from outside the Chinese mainland.
You can specify one or more types under the Response Code and Sensitive Information categories.
If you select AND, you can also specify a URL to detect sensitive information only on that page.
Action
Defines the action to take when sensitive information is detected in a response.
When the match condition is Status Code, the following actions are supported:
Monitor: Records a log entry when a request hits the rule but does not block the request.
Block: Blocks the request that hits the rule and returns a block page to the client.
When the match condition is Sensitive Info, the following actions are supported:
Monitor: Records a log entry when a request hits the rule but does not block the request.
Mask: Does not block the request that hits the rule but replaces parts of the sensitive information with asterisks (*).
By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:
View the rule ID and action in the Rule ID and Action columns.
Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.
What to do next
You can view the protection details for the rules on the Data Leakage Prevention tab of the Security Reports page. For more information, see Security reports.
References
To learn more about the protected objects, protection modules, and protection process of WAF 3.0, see Overview of mitigation settings.
To create a protection template using an API, see Create a protection template.
To create a basic protection rule and configure its settings, see Create a Web core protection rule.