All Products
Search
Document Center

Web Application Firewall:Match conditions

Last Updated:Mar 31, 2026

Match conditions define the request attributes that WAF inspects when evaluating whitelist rules, custom rules, and bot management rules. When a request meets the match conditions of a rule, WAF applies the action specified in that rule — Allow, Block, or Challenge.

How match conditions work

Each match condition consists of three parts: a Match Field, a Logical Operator, and Match Content.

Match conditions

Example 1: Match Field = URI, Logical Operator = Contains, Match Content = /login.php — matches any request whose path contains /login.php.

Example 2: Match Field = IP, Logical Operator = Is, Match Content = 192.XX.XX.1 — matches requests from the client IP address 192.XX.XX.1.

WAF decodes request content that uses URL encoding, HTML encoding, or Unicode encoding before matching it against the specified match content.

Supported match fields

For pay-as-you-go WAF instances, match rules are categorized as advanced or basic, each with different billing rates. For details, see Billing.
Subscription-based WAF instances of the Enterprise edition or higher support advanced rules (such as regular expression matching) at no extra charge. For details about supported rules by edition, see Version guide.
Custom rule module rules that use Regular Expression Match or Regular Expression Mismatch operators are advanced rules and billed accordingly.
The match content for the following match fields is case-insensitive.
Match fieldDescriptionSupported logical operators
URIThe Uniform Resource Identifier (URI) of a request — the path of the requested resource. In most cases, URI = URI Path + Query String. The path must start with / and must not include a domain name. For example: /login.php.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
IPThe source IP address of the client that initiates the request. Supported formats: IPv4 (for example, 1.XX.XX.1), IPv6 (for example, 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff), and CIDR blocks (for example, 1.XX.XX.1/16). A single protection rule supports a maximum of 100 IP addresses or CIDR blocks across all IP match conditions combined. Separate multiple IP addresses or CIDR blocks with a comma (,).Belongs To, Does Not Belong To
RefererThe source URL of the request — the page from which the request originates.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
User-AgentInformation about the client browser, including the browser identifier, rendering engine, and version.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
Query StringThe query string in the request URL — the part following the question mark (?).Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
CookieThe cookie data in the request.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
Content-TypeThe MIME type of the HTTP request body, as specified in the Content-Type request header.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
Content-LengthThe size of the request body in bytes. Valid values: 0 to 2,147,483,648.Equals, Value Greater Than, Value Less Than
X-Forwarded-ForThe originating IP address of the client when the request is forwarded through an HTTP proxy or Server Load Balancer (SLB) instance. Only requests forwarded by a proxy or SLB contain this header.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain<br>Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than
BodyThe content of the request body. Rules using this field are advanced rules.Is<br>Contains<br>Does Not Exist<br>Prefix Match, Suffix Match<br>Matches regular expression
Http-MethodThe HTTP request method: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, or PATCH.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
HeaderAn HTTP request header. Supports custom header fields.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist<br>Length Equal To, Length Greater Than, Length Less Than<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
URI PathThe path component of the request URI.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
Query String ParameterA parameter name in the query string. For example, in www.aliyundoc.com/request_path?param1=a&param2=b, param1 and param2 are parameter names. Parameter names are case-sensitive.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match
Server-PortThe server port number.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
File ExtensionThe file extension in the request path, such as .png or .php.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
FilenameThe filename at the end of the request path. For example, in /abc/index.php, index.php is the filename.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
HostThe domain name in the request.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Regular Expression Match, Regular Expression Mismatch *(advanced)*
Cookie NameThe name of a cookie key. For example, in the cookie acw_tc:111, acw_tc is the cookie name. Cookie names are case-sensitive.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Matches regular expression *(advanced)*
Body ParameterA parameter name in the request body. For example, in a=1&b=2, a and b are parameter names. Parameter names are case-sensitive, and the match content must be longer than four characters. Rules using this field are advanced rules.Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value<br>Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value<br>Exists, Does Not Exist, Empty<br>Length Equal To, Length Greater Than, Length Less Than<br>Prefix Match, Suffix Match<br>Matches regular expression *(advanced)*

What's next