All Products
Search

This Product

    Web Application Firewall:Protection rule templates

    Document Center

    Web Application Firewall:Protection rule templates

    Last Updated:Jun 25, 2026

    The WAF AI application protection feature creates protection rules to effectively block malicious prompt attacks and manage illegal or non-compliant content in user input and model-generated content in real time, providing comprehensive security and compliance for AI applications.

    Create a protection template

    Before you create a protection template, you must Enable AI application protection and Asset management.

    1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance., in the left-side navigation pane, choose Protection Config > AI Application Protection. On the Rule Templates tab, click Create Template.

    2. In the Template Name section, enter a name for the template.

    3. In the Request Detection Template and Response Detection Template sections, select existing detection item services from AI Guardrails. You can click the image icon on the right to go to the AI Guardrails console to Configuration. For more information, see Configure check items.

    4. In the Chunking Configuration section, set the Request Chunk Size and Response Chunk Size. These parameters determine the text length sent to AI Guardrails for risk detection in a single call.

      • Performance and cost tradeoff: Increasing the shard size reduces the number of calls to AI Security Guardrails, lowering usage costs. However, the latency for clients to receive complete responses also increases.

      • Calculation example: If a client sends 500 bytes of content and the shard size is set to 300 bytes, the system splits the content into 300-byte chunks, triggering two AI Security Guardrails detection calls.

      • Semantic integrity: The system has a built-in anti-splitting mechanism to ensure that the semantic integrity of risky text is not affected by sharding.

    5. In the Rule Configuration section, click Create Rule and configure the following items based on the Protection Dimensions. You can create multiple rules.

      1. Content Compliance Detection: Detects and handles illegal or non-compliant content such as pornography, political content, and prohibited content in user input (Prompt) and model-generated content (Response).

      2. Prompt Attack Detection: Identifies and handles specific instructions embedded in user input to prevent attackers from bypassing or manipulating the safety and ethical constraints of large language models to perform unintended tasks.

      3. Blacklist Dictionary: Configure a blacklist dictionary in AI Security Guardrails. WAF applies the corresponding handling strategies to matched keywords based on this dictionary.

      Content Compliance Detection

      • Rule Name: Enter a recognizable name for the rule.

      • Protection Dimensions: Select Content Compliance Detection.

      • Detection Category: You can select multiple risk types to detect, including pornography, political content, terrorism and violence, prohibited content, and inappropriate content.

        For fine-grained configuration (for example, to exclude Suspected Sex Education and Suspected Sex Education from Moderation of pornographic content), go to AI Security Guardrails to configure the settings. For more information, see Configure check items.

      • Severity Level: Set the threat level. Valid values: High Risk, Medium Risk, and Low Risk.

      • Detect Request and Detection and Response: Select these options to specify whether WAF inspects user requests or AI model responses. You can configure them separately or together.

        Inspect Request

        Select this option to inspect user requests. Then, select a protection action to take. Valid values:

        • Monitor: Does not block requests that match the rule, but logs the matches. You can view the requests that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

        • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The request contains illegal content and has been blocked by WAF."

        • Block: Blocks attack traffic that matches the rule and does not forward it to the backend large language model. You can select a custom response page. Refer to the following examples.

          • Example 1: Does not adapt to the response format of large language model applications. Directly returns a block page.

            • Status Code: 403

            • Header Name: Content-Type

            • Header Value: text/plain; charset=utf-8

            • Response Body: {"error_id":" {::trace_id::}","msg":"Response blocked due to prohibited content."}

          • Example 2: Adapts to the response format of large language model applications for a better user experience. Adjust based on your actual application's response.

            • Status Code: 200

            • Header Name: Content-Type

            • Header Value: text/event-stream; charset=utf-

            • Response Body:

              data: {"id":"","object":"chat.completion.chunk","created":1747364919,"model":"deepseek-chat","system_fingerprint":"","choices":[{"index":0,"delta":{"content":"Input rejected: Prohibited content detected by WAF."},"logprobs":null,"finish_reason":"stop"}],"usage":{"prompt_tokens":0,"completion_tokens":0,"total_tokens":0,"prompt_tokens_details":{"cached_tokens":0},"prompt_cache_hit_tokens":0,"prompt_cache_miss_tokens":0}}
data: [DONE]

        Inspect Response

        Select this option to inspect AI model responses. Based on your actual business characteristics, select a Non-streaming Response Action or Streaming Response Action. You can configure them separately or together.

        • Non-streaming Response Action

          • Monitor: Does not block responses that match the rule, but logs the matches. You can view the responses that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

          • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The response contains illegal content and has been blocked by WAF."

          • Block: Blocks responses that match the rule and returns a block response page to the requesting client. You can select a custom response page.

        • Streaming Response Action

          • Monitor: Does not block responses that match the rule, but logs the matches. You can view the responses that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

          • Retract: Recalls responses that match the rule. The recall message must be in SSE data format that complies with the large language model platform protocol, and its structure must match the client parsing logic. Otherwise, the recall behavior cannot be triggered correctly. Refer to the following example.

            • For example, in Dify, the event field uses message_replace to recall the previous message, and the answer field specifies the prompt displayed to the user after the recall.

              When receiving the SSE stream, the client monitors the event field of each message. When it receives "event": "message_replace", the client should:

              1. Stop receiving the current streaming output.

              2. Clear or overwrite the rendered unsafe content.

              3. Display the prompt in the answer field as the final response.

              data: {"event": "message_replace", "conversation_id": "", "message_id": "", "created_at": 1755685383, "task_id": "", "id": "", "answer": "Illegal content detected. Response revoked!", "from_variable_selector": null}

          • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The response contains illegal content and has been blocked by WAF."

      Prompt Attack Detection

      • Rule Name: Enter a recognizable name for the rule.

      • Protection Dimensions: Select Prompt Attack Detection.

      • Severity Level: Set the threat level. Valid values: High Risk, Medium Risk, and Low Risk.

      • Detect Request: WAF inspects user requests. Then, select a protection action to take when a request matches the rule. Valid values:

        • Monitor: Does not block requests that match the rule, but logs the matches. You can view the requests that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

        • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The request contains illegal content and has been blocked by WAF."

        • Block: Blocks attack traffic that matches the rule and does not forward it to the backend large language model. You can select a custom response page. Refer to the following examples.

          • Example 1: Does not adapt to the response format of large language model applications. Directly returns a block page.

            • Status Code: 403

            • Header Name: Content-Type

            • Header Value: text/plain; charset=utf-8

            • Response Body: {"error_id":" {::trace_id::}","msg":"Response blocked due to prohibited content."}

          • Example 2: Adapts to the response format of large language model applications for a better user experience. Adjust based on your actual application's response.

            • Status Code: 200

            • Header Name: Content-Type

            • Header Value: text/event-stream; charset=utf-

            • Response Body:

              data: {"id":"","object":"chat.completion.chunk","created":1747364919,"model":"deepseek-chat","system_fingerprint":"","choices":[{"index":0,"delta":{"content":"Input rejected: Prohibited content detected by WAF."},"logprobs":null,"finish_reason":"stop"}],"usage":{"prompt_tokens":0,"completion_tokens":0,"total_tokens":0,"prompt_tokens_details":{"cached_tokens":0},"prompt_cache_hit_tokens":0,"prompt_cache_miss_tokens":0}}
data: [DONE]

      Blacklist Dictionary

      • Rule Name: Enter a recognizable name for the rule.

      • Protection Dimensions: Select Blacklist Dictionary, then click Configure Custom Keyword Library to go to AI Security Guardrails to configure the dictionary. For more information, see Library management.

      • Detect Request and Detection and Response: Select these options to specify whether WAF inspects user requests or AI model responses. You can configure them separately or together.

        Inspect Request

        Select this option to inspect user requests. Then, select a protection action to take. Valid values:

        • Monitor: Does not block requests that match the rule, but logs the matches. You can view the requests that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

        • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The request contains illegal content and has been blocked by WAF."

        • Block: Blocks attack traffic that matches the rule and does not forward it to the backend large language model. You can select a custom response page. Refer to the following examples.

          • Example 1: Does not adapt to the response format of large language model applications. Directly returns a block page.

            • Status Code: 403

            • Header Name: Content-Type

            • Header Value: text/plain; charset=utf-8

            • Response Body: {"error_id":" {::trace_id::}","msg":"Response blocked due to prohibited content."}

          • Example 2: Adapts to the response format of large language model applications for a better user experience. Adjust based on your actual application's response.

            • Status Code: 200

            • Header Name: Content-Type

            • Header Value: text/event-stream; charset=utf-

            • Response Body:

              data: {"id":"","object":"chat.completion.chunk","created":1747364919,"model":"deepseek-chat","system_fingerprint":"","choices":[{"index":0,"delta":{"content":"Input rejected: Prohibited content detected by WAF."},"logprobs":null,"finish_reason":"stop"}],"usage":{"prompt_tokens":0,"completion_tokens":0,"total_tokens":0,"prompt_tokens_details":{"cached_tokens":0},"prompt_cache_hit_tokens":0,"prompt_cache_miss_tokens":0}}
data: [DONE]
        Inspect Response

        Select this option to inspect AI model responses. Based on your actual business characteristics, select a Non-streaming Response Action or Streaming Response Action. You can configure them separately or together.

        • Non-streaming Response Action

          • Monitor: Does not block responses that match the rule, but logs the matches. You can view the responses that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

          • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The response contains illegal content and has been blocked by WAF."

          • Block: Blocks responses that match the rule and returns a block response page to the requesting client. You can select a custom response page.

        • Streaming Response Action

          • Monitor: Does not block responses that match the rule, but logs the matches. You can view the responses that matched the current rule in Query logs to analyze the protection effectiveness of the rule (for example, whether there are any false positives).

          • Retract: Recalls responses that match the rule. The recall message must be in SSE data format that complies with the large language model platform protocol, and its structure must match the client parsing logic. Otherwise, the recall behavior cannot be triggered correctly. Refer to the following example.

            • For example, in Dify, the event field uses message_replace to recall the previous message, and the answer field specifies the prompt displayed to the user after the recall.

              When receiving the SSE stream, the client monitors the event field of each message. When it receives "event": "message_replace", the client should:

              1. Stop receiving the current streaming output.

              2. Clear or overwrite the rendered unsafe content.

              3. Display the prompt in the answer field as the final response.

              data: {"event": "message_replace", "conversation_id": "", "message_id": "", "created_at": 1755685383, "task_id": "", "id": "", "answer": "Illegal content detected. Response revoked!", "from_variable_selector": null}

          • Custom Response: For attack requests that match the rule, WAF forwards the original request to the backend large language model and replaces the model's real response with the custom response content that you configured. You only need to configure the specific response text without adapting to the model's response format. For example, you can configure the response text as: "The response contains illegal content and has been blocked by WAF."

    6. In the Protected Assets section, select the assets created in Asset management to apply the protection template to those assets.

      Note

      A protection template can be associated with multiple assets, but each asset can be associated with only one protection template.

    What to do next

    After you create a protection template, you can view the protection results in the WAF and AI Security Guardrails consoles:

    • WAF console: Go to the Security reports page to query the hit records of specific AI application protection templates. You can also view protection logs in Query logs.

    • AI Security Guardrails console: Go to the Test Results > Result Query page to view the detailed risk types and scores triggered by prompts and response content. For more information, see Test results.

    View and manage protection templates

    On the Rule Templates tab, you can perform the following management operations on the protection template list:

    • View and search: Browse created protection templates. You can use the search box at the top of the page to filter by asset, template, or rule.

    • Enable or disable: Use the toggle switch on the right to enable or disable a template. A disabled template has no protection effect.

    • Edit and maintain: You can Edit, Delete, or Copy a protection template.

    Limitations

    Currently, only the following protection object types are supported:

    • CNAME access

    • Partial cloud native access (ECS, CLB, and NLB)

    Support for other protection object types is currently under development.