Web Application Firewall (WAF) automatically creates a protected object for each asset you onboard. For most users, no further action is required. Manual configuration is needed only when you need different protection rules for multiple domain names that share the same backend, or when you want to apply the same rules to many assets at once using protected object groups.
Key concepts
Protected object: WAF creates one automatically for each domain name or cloud service instance you onboard. You apply protection templates to protected objects to enforce security policies.
Protected object group: A collection of protected objects that share the same protection rules. Adding objects to a group lets you configure rules once and apply them to all members simultaneously. A protected object can belong to only one group at a time.
Prerequisites
Before you begin, make sure you have:
At least one protected object. WAF creates one automatically when you onboard a web service. If you haven't onboarded yet, see Onboarding overview.
(Conditional) An ICP filing for any domain name that is associated with a cloud service and hosted on a server in the Chinese mainland. For details, see How do I check the ICP filing information of a domain name?
Add a protected object
WAF automatically creates a protected object for every onboarded asset. Manual addition is only required in these two scenarios:
Cloud service onboarding: Multiple domain names resolve to the same cloud service instance, and you need different protection rules for each domain name.
Hybrid cloud SDK integration: Multiple domain names resolve to the same cluster, and you need different protection rules for each domain name.
To add a protected object manually:
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Objects tab, click Add Protected Object.
In the Add Protected Object dialog box, select a Protected Object Type and configure the corresponding parameters, then click OK.
Cloud service parameters
| Parameter | Description |
|---|---|
| Domain name | Enter an exact-match domain name (for example, www.aliyundoc.com) or a wildcard domain name (for example, *.aliyundoc.com). A wildcard domain name matches only subdomains at the same level: *.aliyundoc.com matches www.aliyundoc.com and example.aliyundoc.com, but not aliyundoc.com or www.example.aliyundoc.com. If a request matches both an exact domain name and a wildcard domain name, the protection rules for the exact domain name take precedence. |
| Cloud service | Select the type of cloud service instance to which the domain name is onboarded: ALB (Application Load Balancer), CLB4 (Classic Load Balancer with a TCP listener), CLB7 (CLB with an HTTP/HTTPS listener), ECS (Elastic Compute Service), or NLB (Network Load Balancer). |
| Instance | Select the ALB instance ID. Required only when Cloud service is set to ALB. |
| Add to protected object group | (Optional) Add the protected object to a group for centralized rule management. Once added to a group, rules must be configured at the group level — individual rule configuration is no longer available for that object. |
| Resource group | (Optional) Assign the protected object to a resource group to simplify permission management. If not needed, select Default Resource Group. For details, see What is a resource group? |
SDK-based traffic mirroring parameters
| Parameter | Description |
|---|---|
| Protected object name | Enter a name that clearly identifies this object. |
| Domain name/IP address | Enter an exact-match domain name (for example, www.aliyundoc.com) or a wildcard domain name (for example, *.aliyundoc.com). Matching and priority rules are the same as for cloud service objects. |
| URL | Enter the URL path to protect. |
| Add to protected object group | (Optional) Add the protected object to a group for centralized rule management. Once added to a group, rules must be configured at the group level. |
| Resource group | (Optional) Assign the protected object to a resource group. If not needed, select Default Resource Group. For details, see What is a resource group? |
Configure advanced settings
WAF provides advanced settings for customizing how each protected object handles traffic inspection and client interaction. To access these settings, click Settings in the Actions column for the target protected object.
| Setting | When to use |
|---|---|
| Configure client IP address | Use when a Layer 7 proxy (such as a CDN) is deployed in front of WAF. Configure this so WAF can retrieve the real client IP for security analytics, such as the attacker IP address in Security Reports. |
| Cookie settings | Use when HTTP flood protection or scan protection is active, or when a rule action is set to Slider CAPTCHA. WAF adds tracking and authentication cookies to responses using a Set-Cookie header. Configure the sending status and the Secure attribute to meet your compliance and compatibility requirements. |
| Custom response header | Use for domain names onboarded in CNAME record mode. WAF inserts custom headers into responses sent to clients — useful for security hardening, policy control, or debugging. |
| Decode settings | Use to enable WAF to parse and restore data in formats such as JSON, XML, and Form, and encoded using methods such as Base64 and HTML entities. This ensures WAF can detect malicious traffic hidden in multi-layer encoding. |
| User identification | Use to configure WAF to extract user identity information (such as usernames, tokens, and JWT entities) from requests. This information is then used by Scan Protection, Bot Management, and Custom Rule modules for account-level security control. |
Configure client IP address
On the WAF Link Settings tab, configure Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF. For details, see Obtain real client information.
No further action is required for CNAME domains or ECS/CLB/NLB instances if they were configured during onboarding.
Configure cookie settings
On the WAF Link Settings tab, configure Tracking Cookie and Slider CAPTCHA Cookie.
Tracking cookie
WAF issues a cookie named acw_tc to identify and track client access behavior when HTTP flood protection or scan protection is in use. Use the Status switch to enable or disable this feature. To issue this cookie only for HTTPS requests, enable Secure Attribute.
Keep Tracking Cookie enabled. If disabled, HTTP flood protection and scan protection will not work correctly.
For protected objects in a protected object group, Tracking Cookie is enabled by default and cannot be disabled, and Secure Attribute cannot be enabled.
If a request matches multiple protected objects and Tracking Cookie or Secure Attribute is enabled for at least one of them, the feature applies to all matched objects.
Slider CAPTCHA cookie
After a slider verification is passed, WAF issues a cookie named acw_sc__v3 to validate the verification. To send this cookie only over HTTPS, enable Secure Attribute.
Enabling Secure Attribute for the slider cookie interferes with slider verification on HTTP sites.
For protected objects in a protected object group, Secure Attribute is disabled by default and cannot be enabled.
Configure custom response headers
On the WAF Link Settings tab, configure Custom Response Header. Add up to five custom headers. If a custom header name matches a response header from the origin server, WAF replaces the original header value with the value you specify.
Custom response headers are supported only for domain names onboarded in CNAME record mode.
Configure decode settings
Configure settings on the Decode Settings tab. For a full reference of all supported decoding and parsing options, see Decode settings reference.
Configure user identification
On the User Identification tab, configure up to five rules per protected object, in priority order.
Extraction location — where WAF looks for the user identity:
Query String
Body
Cookie
Header
Account format — how the identity is encoded:
Plaintext authentication: For example,
email@example.com.JWT authentication: Typically in the
Authorizationheader asAuthorization: Bearer {Token}. For JWT, specify the account field in the decoded payload.Basic authentication: Typically in the
Authorizationheader asAuthorization: Basic {Token}.
Use protected object groups for bulk rule management
Instead of configuring protection rules for each domain individually, create a protected object group and apply one protection template to all members at once. Groups are most useful when you have multiple protected objects that share the same security policy.
In the left-side navigation pane, choose Protection Configuration > Protected Objects.
On the Protected Object Groups tab, click Create.
In the Create Protected Object Group dialog box, enter a Protected Object Group Name, select objects under Associate with Protected Object, add optional Remarks, and click OK.
- The Available Objects list shows only protected objects that are not already in a group and have only the default protection template applied (or no template at all). - A protected object already in a group cannot be added to another group. Remove it from its current group first.
When creating a protection template, set Apply To to Protected Object Group to apply the template to all objects in the group.
Manage protected objects and groups
Manage protected objects
View protection rules: Click View Protection Rule in the Actions column. The Core Web Protection page opens and shows the associated protection templates and their rules.
Add to a protected object group: Click
> Add to Protected Object Group in the Actions column, or select multiple objects and click Add to Protected Object Group below the list.View logs: If Log Service is enabled, click
> View Logs in the Actions column.Delete: Click Delete in the Actions column. Only manually added domain protected objects can be deleted directly. To remove automatically generated objects, remove the corresponding assets.
Manage protected object groups
Edit group membership: On the Protected Object Groups tab, click Edit in the Actions column to add or remove objects. When an object is removed from a group, the default protection template is automatically applied to it.
Modify protection rules: On the Protected Object Groups tab, click Configure Rule in the Actions column to view and update the rules in the associated protection template.
Delete a group: On the Protected Object Groups tab, click Delete in the Actions column for the group.
Limitations
Quota per edition: The number of protected objects, protected object groups, and objects per group varies by WAF edition. See the Edition Guide for details. To check your current usage, go to the Protected Objects page. If you've reached your quota, delete unused protected objects or upgrade your edition.
Subscription quota reservation: For subscription instances, WAF reserves quota for the free domains included in your edition plus any purchased additional domain quotas. For example, a Pro instance includes 5 free domain names and supports up to 600 protected objects. If you purchase 2 additional domains, WAF reserves 7 slots (5 + 2), leaving 593 (600 − 7) available for additional protected objects.
Group membership: A protected object can belong to only one group. To move an object to a different group, remove it from its current group first.
Group configuration: Once a protected object is added to a group, its protection rules must be configured at the group level. Individual rule configuration is no longer available for that object.
Cookie settings restrictions: MSE instances and custom domains of FC in cloud native mode do not support Cookie Settings.
Decode settings restrictions: FC and MSE instances in cloud native mode do not support Decode Settings.
Appendix: Decode settings reference
For ALB instances onboarded via cloud native mode, Base64 Decoding is disabled by default. Enable it if needed.
For hybrid cloud integration, upgrade xagent to version 4.1.0 or later for decode settings to take effect.
Key-value parsing
JSON data parsing
Based on RFC 7159, the JSON parsing module parses and restructures JSON data — including key-value objects, arrays, strings, and numbers — with syntax validation, type conversion, nested structure processing, and Unicode decoding. This improves WAF's ability to detect malicious content hidden in JSON payloads.
Input:
{"Hello":"World"}Output:
key:Hello,value:World
XML data parsing
In compliance with the W3C XML specification, the XML parsing module parses elements, attributes, text content, CDATA sections, and processing instructions, with syntax validation, entity reference resolution, and namespace processing. This enhances WAF rule accuracy for XML payloads.
Input:
<Hello attr="desc"><![CDATA[World]]></Hello>Output:
key:Hello,value:World;key2:Hello.attr,value2:desc
Form data parsing
Based on RFC 1866, the form parsing module parses application/x-www-form-urlencoded data — including key-value parameters, array parameters, file upload fields, and nested structures — with URL decoding and character set handling.
Input:
Hello=WorldOutput:
key:Hello,value:World
Multipart data parsing
In compliance with RFC 2046, the Multipart parsing module parses multipart/form-data — including file fields, text fields, boundary delimiters, and nested structures — with boundary detection and encoding conversion.
Input:
------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="Hello" World ------WebKitFormBoundary7MA4YWxkTrZu0gW--Output:
key:Hello,value:World
GraphQL parsing
In compliance with the GraphQL specification, this module parses queries, variable definitions, arguments, and directives — including field selections, query parameters, variable substitutions, aliases, and nested queries — across URL parameters, JSON payloads, raw GraphQL queries, and multipart file upload formats.
Input:
HelloWorld{ desc(Hello:"World"){ Hello } }Output:
key:Hello,value:World
Decoding
Base64 decoding
Implements the RFC 4648 Base64 decoding algorithm using the standard character set (A–Z, a–z, 0–9, +, /) and the padding character (=), with character validation, padding handling, and byte alignment.
Input:
SGVsbG8gV29scmQhOutput:
Hello World!
HTML entity decoding
Based on the HTML 5.2 specification (W3C Recommendation), decodes numeric character references (&#x;) and named character entities (&).
Input:
Hello World!Output:
Hello World!
PHP deserialization
Implements the reverse operation of PHP's serialize() function, parsing type identifiers (such as i, s, a, and O), length metadata, and recursive data structures.
Input:
payload=O:5:"Hello":1:{s:4:"desc";s:6:"World!";}Output:
key:payload.Hello.desc,value:World!
Java deserialization
Based on the Java serialization protocol, implements the reverse operation of ObjectInputStream, parsing class descriptors, field metadata, and object state information in compliance with the JVM serialization specification.
Input:
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAFSGVsbG90AAZXb3JsZCF4Output: extracted Java class:
java.util.HashMap
UTF-7 decoding
Based on RFC 2152, processes UTF-7 encoding markers (+/−) and Base64-encoded Unicode character sequences. Suitable for email systems and MIME message transmission scenarios.
Input:
+/v8 +AEgAZQBsAGwAbwAgAFcAbwByAGwAZAAh-Output:
Hello World!
Unicode decoding
Based on the Unicode standard (ISO/IEC 10646, Unicode 15.0), parses \uXXXX four-byte hexadecimal notation and the \u{XXXXXX} extended format.
Input:
\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064\u0021Output:
Hello World!
URL decoding
Based on RFC 3986, implements the reverse conversion of Percent-Encoding for reserved characters, non-ASCII characters, and special characters in URIs, following the application/x-www-form-urlencoded MIME type specification.
Input:
Hello%20World%21Output:
Hello World!
Hex decoding
Based on RFC 4648, converts hexadecimal strings to binary data using Big-Endian byte order and the standard hexadecimal character set (0–9, A–F, a–f).
Input:
\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21Output:
Hello World!
Octal decoding
Converts backslash-prefixed octal digits (such as \123) to their corresponding characters using the ASCII lookup table. Supports the standard octal range of 0–377 (0–255 in decimal) and can parse octal escape sequences in mixed text.
Input:
\110\145\154\154\157\040\127\157\162\154\144\041Output:
Hello World!
Decompression
Gzip decompression
Based on RFC 1952, uses the DEFLATE decompression algorithm with header parsing (magic number 0x1f8b, compression method, flags), CRC32 checksum, and support for stream processing, multi-member files, and error recovery.
Input: binary file data
1f 8b 08 00 11 39 00 69 00 ff 01 0c 00 f3 ff 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 a3 1c 29 1c 0c 00 00 00(shown in hexadecimal)Output:
Hello World!
Preprocessing
Comment stripping
Based on the ANSI SQL standard and MySQL extended syntax, identifies and removes single-line comments (--), multi-line comments (/* */), and MySQL conditional comment syntax (/*! ... */). Removing comments improves WAF accuracy in detecting malicious SQL and reduces the risk of rule bypass via comment injection.
Input:
/*!40101 SET */@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;Output:
@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;
Whitespace compression
Detects and compresses consecutive whitespace characters into a single space, normalizing leading, trailing, and intermediate whitespace for consistent text formatting.
Input:
Hello World!Output:
Hello World!