How to configure website tamper-proofing rules - Web Application Firewall

After you add your website to Web Application Firewall (WAF), you can configure website tamper-proofing rules to lock web pages that you want to protect, such as web pages that contain sensitive information. When a locked page receives a request, a cached version of the page is returned to help prevent web page tampering. This topic describes how to create a website tamper-proofing template and add protection rules.

Limits

This feature is not supported for protected objects that use hybrid cloud mode or cloud native mode (MSE, FC).

Requirement

A WAF 3.0 instance is purchased. For more information, see Activate a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Step 1: Create a website tamper-proofing template

The website tamper-proofing module does not provide a default protection template. If you want to enable website tamper-proofing rules, you must create a protection template and then add rules to the template.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Core Web Protection page, find the Website Tamper-proofing section and click Create Template.

In the Create Template - Website Tamper-proofing panel, configure the parameters and click OK.

Parameter	Description
Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration	You can click Create Rule to create a website tamper-proofing rule for the template. You can also skip this step and create rules after you create the template. For more information, see Step 2: Add website tamper-proofing rules to the website tamper-proofing template.
Apply To	Select the Protected Objects and Protected Object Groups to which you want to apply the template from the added protected objects and protected object groups. You can apply only one template of a protection module to a protected object or a protected object group. For more information about how to add protected objects and protected object groups, see Configure protected objects and protected object groups.

By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:

View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Create Rule in the Actions column to create a protection rule for the template.
Click Edit, Delete, or Copy in the Actions column to manage the template.
Click the icon to the left of the template name to view the protection rules in the template.

Step 2: Add website tamper-proofing rules to the website tamper-proofing template

A website tamper-proofing template takes effect only after you add website tamper-proofing rules to the template. If you have added rules when you created the template, you can skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Website Tamper-proofing section, find the template for which you want to create rules and click Create Rule in the Actions column.

In the Create Rule dialog box, configure the parameters and click OK.

Parameter	Description
Rule Name	Specify a name for the rule. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Address of Cached Page	Specify the type and path of the cached page. Type of the cached page: http or https. Path of the cached page: The default value is `www.waftest.cn/index.html`. You can modify the value. Wildcards (such as `/`) or parameters (such as `/abc?xxx=yyy`, where `xxx=yyy` is the parameter part) are not supported. Important* Requests whose URLs include parameters cannot be matched by website tamper-proofing rules and are forwarded to the origin server by WAF. For example, if the path of the cached page is set to `/abc` and the URL of a request is `/abc?xxx=yyy`, the request does not match the website tamper-proofing rule whose cached page path is `/abc`. The website tamper-proofing module protects text data, HTML pages, and images in the specified path. The size of a single protected file cannot exceed 1 MB. Important You can specify only a URL. You cannot specify a directory.
Specify User-Agent to Access	Specify the User-Agent strings of browsers that can be used to access the web pages that you added to WAF. If you do not select Specify User-Agent to Access, the User-Agent is set to the identifier of a PC browser by default. If you select Specify User-Agent to Access, you must specify the User-Agent. You can open a browser and press F12 to open the developer mode. On the Network tab, click a request. In the Request Headers section, find the User-Agent field to obtain the identifier of the browser.

Note

After you create a website tamper-proofing rule, the system automatically pulls resources and caches them to WAF. Subsequent access requests use the cached pages.
If you turn on the template Status or activate the rule Status again, the system refreshes the cache. This has the same effect as clicking Update Cache.
If your origin server has IP address-based access control configured, add the following IP addresses to the whitelist:
- Mainland China: 121.196.106.101, 121.196.100.214, 121.196.110.192, and 121.196.107.0.
- Outside Mainland China: 8.219.104.2 and 8.219.41.212.

By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:

View the rule ID and action in the Rule ID and Action columns.
Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.

Related operations

If you want to enable website tamper-proofing for a specific directory on a server, you can use the web tamper proofing feature of Security Center. For more information, see Web tamper proofing.

The following table describes the differences between the website tamper-proofing module of WAF and the web tamper proofing feature of Security Center.

Difference	WAF	Security Center
Procedure	The website tamper-proofing module of WAF lets you lock web pages that you want to protect, such as web pages that contain sensitive information. When a locked web page is requested, a cached version of the page is returned to help prevent web page tampering.	The web tamper proofing feature of Security Center restores tampered files or directories based on backup files. This prevents important website information from being tampered with.
Applicable scope	Website URLs.	Server directories.

References

For more information, see Overview of protection configuration.
For more information about how to use API operations to create protection templates, see Create a protection template.
For more information about how to create a Web Core Protection rule and configure the rule content, see Create a Web Core Protection rule.