When configuring a protection template, you must specify a protected object as the target. While Web Application Firewall (WAF) automatically generates these objects for onboarded assets, manual configuration is required for complex scenarios involving bulk asset management or advanced settings (such as custom decoding, cookies, or response headers). This topic describes how to configure and manage protected objects and groups for fine-grained security.
Key concepts
Protected object: When you onboard a domain name or a cloud service instance to WAF, WAF automatically creates a corresponding protected object. You can then apply a protection template to the protected object.
Protected object group: You can add multiple protected objects to a group for centralized management. A protected object can belong to only one protected object group.
Usage notes
Before you begin, ensure that you meet the following requirements:
Onboarding requirement: You must have an existing protected object. WAF creates one automatically when you onboard your web service. If you have not yet onboarded your service, see Onboarding overview.
ICP filing: To add a protected object for a domain name that is associated with a cloud service and hosted on a server in the Chinese mainland, the domain name must have an ICP filing. For more information, see How do I check the ICP filing information of a domain name?
Add a protected object
When you add an asset to WAF, WAF automatically creates a corresponding protected object. Manual creation is typically not necessary. However, you must manually add a domain name as a protected object in the following scenarios:
Cloud service onboarding: Multiple domain names resolve to the same cloud service instance, and you need to configure different protection rules for each domain name.
Hybrid cloud SDK integration: Multiple domain names resolve to the same cluster, and you need to configure different protection rules for each domain name.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Protected Objects tab, click Add Protected Object.
In the Add Protected Object dialog box, configure the parameters according to the Protected Object Type, and then click OK.
Cloud Service
Parameter
Description
Domain Name
Enter the domain name to protect. You can enter an exact-match domain name, such as
www.aliyundoc.com, or a wildcard domain name, such as*.aliyundoc.com.NoteWildcard domain name matching rule: A wildcard domain name can match only subdomains at the same level. For example,
*.aliyundoc.comcan match subdomains such aswww.aliyundoc.comandexample.aliyundoc.com, but notaliyundoc.comorwww.example.aliyundoc.com.Priority rule: If a request matches both an exact domain name and a wildcard domain name, the protection rules for the exact domain name take precedence.
Cloud Service
Select the type of Cloud Service instance to which the domain name is onboarded. Options:
ALB: Application Load Balancer (ALB).
CLB4: Classic Load Balancer (CLB) with a TCP listener.
CLB7: CLB with an HTTP/HTTPS listener.
ECS: Elastic Compute Service (ECS).
NLB: Network Load Balancer (NLB).
Instance
Select the ALB instance ID. This is required only when the Cloud Service type is set to ALB.
Add to Protected Object Group
Add the protected object to a protected object group for centralized management of protection rules. Once an object is in a group, you must configure its protection rules at the group level; individual rule configuration is no longer supported.
Resource Group
Add protected objects to resource groups as needed to simplify resource management and permission configuration, and improve management efficiency. If not needed, select Default Resource Group. For more information, see What is a resource group?.
SDK-based Traffic Mirroring
Parameter
Description
Protected Object Name
Enter an easily identifiable name.
Domain Name/IP Address
Enter the domain name to protect. You can enter an exact-match domain name, such as
www.aliyundoc.com, or a wildcard domain name, such as*.aliyundoc.com.NoteWildcard domain name matching rule: A wildcard domain name can match only subdomains at the same level. For example,
*.aliyundoc.comcan matchwww.aliyundoc.comandexample.aliyundoc.com, but notaliyundoc.comorwww.example.aliyundoc.com.Priority rule: If a request matches both an exact domain name and a wildcard domain name, the protection rules for the exact domain name take precedence.
URL
Enter the URL path to protect.
Add to Protected Object Group
Add the protected object to a protected object group for centralized management of protection rules. Once an object is in a group, you must configure its protection rules at the group level; individual rule configuration is no longer supported.
Resource Group
Add protected objects to resource groups as needed to simplify resource management and permission configuration, and improve management efficiency. If you have no specific configuration requirements, select Default Resource Group. For more information, see What is a resource group?.
Configure advanced settings for a protected object
WAF provides the following advanced settings to customize a protected object based on your business needs and security policies. To access these settings, click Settings in the Actions column for the target protected object.
Parameter | Use case and description |
If a Layer 7 proxy, such as a CDN, is deployed in front of WAF, you must set the Obtain Actual IP Address of Client to ensure that WAF can obtain the real client IP information for security analytics (for example, the Security Reports's Attacker IP Address). | |
When using protection modules (such as HTTP Flood Protection and Scan Protection), or configuring a rule action as Slider CAPTCHA, WAF adds tracking and authentication cookies to the response using a Set-Cookie header. You can configure the sending status and the Secure attribute of these cookies as needed to meet security compliance and business compatibility requirements. | |
For domain names onboarded in CNAME record mode, WAF can insert custom headers into the response sent to the client. This is used for security hardening, policy control, or debugging. | |
WAF can parse and restore data in formats such as JSON, XML, and Form, and encoded using methods such as Base64 and HTML entities. This ensures the detection of malicious traffic hidden in multi-layer encoding or compression. | |
WAF can intelligently extract user identity information (such as usernames, tokens, and JWT entities) from requests and apply this information to the Scan Protection, Bot Management, and Custom Rule modules for fine-grained security control based on account dimensions. |
Configure Client IP Address
On the WAF Link Settings tab, configure Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF. For more information, see Obtain real client information.
NoteNo further action is required for CNAME domains or ECS/CLB/NLB instances if they were configured during onboarding.
Cookie Settings
On the WAF Link Settings tab, you can configure Tracking Cookie and Slider CAPTCHA Cookie.
Tracking Cookie: When you use features such as HTTP flood protection and scan protection, WAF issues a cookie named
acw_tcby default to identify and track the access behavior of clients. You can use the Status switch to enable or disable the Tracking Cookie feature. To issue this cookie only for HTTPS requests, you can enable the Secure Attribute.ImportantRecommended configuration: Enable the Status switch to track cookies. Otherwise, protection modules such as HTTP flood protection and scanning protection will not work correctly.
Protected object group restrictions: For protected objects in a protected object group, the Tracking Cookie feature is enabled by default, and you cannot disable the Tracking Cookie or enable the Secure Attribute.
Effective rule: If a request hits multiple protected objects and the Tracking Cookie or Secure Attribute feature is enabled for at least one of them, the feature is automatically enabled for all the hit objects.
Slider CAPTCHA Cookie: After the slider verification is passed, WAF automatically issues a cookie named
acw_sc__v3to validate the verification. If you want to ensure that this cookie is sent only in HTTPS requests, enable the Secure Attribute.ImportantEnabling the Secure Attribute of the slider cookie will interfere with the slider feature on HTTP sites.
The Secure Attribute is disabled by default for protected objects in a protected object group and cannot be enabled.
Custom Response Header (for CNAME onboarding only)
On the WAF Link Settings tab, configure the Custom Response Header. You can add up to five headers. If the Header Name of a custom response header matches the name of a response header from the origin server, the value of the original header is replaced with the Header Value that you specify.
Decode Settings
Configure the settings on the Decode Settings tab. For more information, see Appendix: Decoding settings.
User Identification
On the User Identification tab, configure up to five rules for each protected object in order of priority.
The location for User Identification can be:
Query String
Body
Cookie
Header
Account format:
Plaintext Authentication: for example, email***@qq.com.
JWT Authentication: Typically in the Header carrying user information. Format:
Authorization: Bearer {Token}. For JWT, you must specify the account field in the decoded payload.Basic Authentication: Typically in the Header. Format:
Authorization: Basic {Token}.
Manage protected objects using protected object groups
When applying the same protection rules to many protected objects, use protected object groups can greatly improve management efficiency.
In the navigation pane on the left, select .
On the Protected Object Groups tab, click Create.
In the Create Protected Object Group dialog box, enter a Protected Object Group Name, select the Associate with Protected Object, add Remarks, and click OK.
NoteThe list of Available Objects in the Associate with Protected Object section only includes protected objects that meet the following criteria: they are not part of any protected object group, and they have only the default protection template applied (or no template at all).
A protected object that is already added to a group cannot be added to another group. You must remove it from its current group before adding it to a new one.
When you create a protection template, you can set the Apply To to Protected Object Group to apply the template to all objects in the group.
Daily O&M
Manage protected objects
View the protection rules for a protected object: Click View Protection Rule in the Actions column for the target protected object. The Core Web Protection page opens and displays the associated protection templates, which consist of the configured protection rules.
Add a protected object to a protected object group: You can click
> Add to Protected Object Group in the Actions column of the target protected object. Alternatively, you can select multiple protected objects and click Add to Protected Object Group below the list.View protected object logs: If you have enabled Log Service, you can click
> View Logs in the Actions column for the protected object.Delete a protected object: Click Delete in the Actions column for the target object. Only manually added domain protected objects can be deleted directly. To remove automatically generated objects, you must Remove the assets.
Manage protected object groups
Modify the protected objects in a group: On the Protected Object Groups tab, click Edit in the Actions column for a group to add or remove protected objects. If a protected object is removed from the group, the default protection template is automatically applied to it.
Modify the protection rules for a group: On the Protected Object Groups tab, click Configure Rule in the Actions column of the group to view and modify the protection rules in the associated template.
Delete a group: On the Protected Object Groups tab, find the group that you want to delete and click Delete in the Actions column.
Quotas and limits
Limit on the number of protected objects: The number of supported protected objects, protected object groups, and protected objects that you can add to a single protected object group varies by WAF edition. For more information, see the Edition Guide. You can go to the Protected Objects page to view the number of available protected objects. If you have reached your protected object quota limit, delete protected objects or upgrade your edition.
Reservation rule for protected objects: For subscription instances, WAF reserves quota for the free domains included in the edition and any purchased additional domain quotas. Example: if you have an active subscription Pro instance (which includes 5 free domain names and supports a maximum of 600 protected objects), and you purchase 2 additional domains, WAF will reserve 7 (5+2) slots. Consequently, you can add up to 593 (600–7) more protected objects.
Protected object configuration limitations: MSE instances and custom domains of FC in cloud native mode do not support Cookie Settings. FC, MSE instances in cloud native mode do not support Decode Settings.
Appendix: Decoding settings
When you onboard an ALB instance via cloud native mode, Base64 Decoding is disabled by default. However, you can enable it if needed.
For the hybrid cloud integration type, you must upgrade the xagent to version 4.1.0 or later for the decoding settings to take effect.
Key-value parsing
JSON Data Parsing
Description: Based on the RFC 7159 standard, the JSON parsing module delivers robust parsing and restructuring capabilities for JSON data. It handles key-value objects, arrays, strings, and numbers while performing syntax validation, type conversion, nested structure processing, and Unicode decoding. This standardized parsing approach significantly improves the WAF's ability to detect malicious content hidden in JSON payloads.
Example:
Input:
{"Hello":"World"}Output:
key:Hello,value:World
XML Data Parsing
Description: The XML parsing module implements parsing and restructuring mechanisms for Extensible Markup Language (XML) in compliance with the XML specification (W3C Recommendation). This module supports comprehensive parsing of XML document structures, including the identification and processing of elements, attributes, text content, CDATA sections, and processing instructions.
The parsing process involves syntax validation, entity reference resolution, namespace processing, and document structure standardization. By normalizing XML parsing, the module enhances the capability of WAF rules to detect malicious content within XML payloads.
Example:
Input:
<Hello attr="desc"><![CDATA[World]]></Hello>Output:
key:Hello,value:World;key2:Hello.attr,value2:desc
Form Data Parsing
Description: The form parsing module parses and reconstructs data in the application/x-www-form-urlencoded format based on the RFC 1866 standard. This module fully parses HTML form data, including key-value pair parameters, array parameters, file upload fields, and nested structures. The parsing process includes URL decoding, character set handling, parameter separator identification, and data type conversion. This standardization helps WAF rules better detect malicious content in form payloads.
Example:
Input:
Hello=WorldOutput:
key:Hello,value:World
Multipart Data Parsing
Description: The Multipart parsing module implements parsing and restructuring mechanisms for the multipart/form-data format in compliance with RFC 2046. This module supports comprehensive parsing of HTTP file uploads and complex form data, including the identification and processing of file fields, text fields, boundary delimiters, and nested structures.
The parsing process involves boundary detection, field parsing, file content extraction, and encoding conversion. By standardizing multipart parsing, the module enhances the capability of WAF rules to detect malicious content within file uploads and complex form payloads.
Example: Input the following content. The Multipart parser extracts the
keyasHelloand thevalueasWorld.------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="Hello" World ------WebKitFormBoundary7MA4YWxkTrZu0gW--
GraphQL Parsing
Description: The GraphQL parsing module implements parsing and restructuring mechanisms for the query language in compliance with the GraphQL specification. This module supports comprehensive parsing of GraphQL queries, variable definitions, arguments, and directives, including the identification and processing of field selections, query parameters, variable substitutions, aliases, and nested queries.
The parsing process covers URL parameters, JSON payloads, raw GraphQL queries, and multipart file upload formats. By standardizing GraphQL parsing, the module enhances the capability of WAF rules to detect malicious content within GraphQL payloads.
Example:
Input:
HelloWorld{ desc(Hello:"World"){ Hello } }Output:
key:Hello,value:World
Decoding
Base64 Decoding
Description: The Base64 decoding engine implements the reverse conversion algorithm for Base64 encoding defined in RFC 4648. This module uses the standard Base64 character set (A-Z, a-z, 0-9, +, /) and the padding character (=) for standardized processing. The decoding process includes character validation, padding handling, byte alignment, and data integrity checks to ensure the accuracy and reliability of binary data transmission.
Example:
Input:
SGVsbG8gV29scmQhOutput:
Hello World!
HTML Entity Decoding
Description: The HTML entity decoding engine is implemented based on the HTML 5.2 specification (W3C Recommendation) to parse character entity references. This module supports the standardized processing of numeric character references (&#x;) and named character entities (&).
Example:
Input:
Hello World!Output:
Hello World!
PHP Deserialization
Description: The PHP serialization decoding engine implements the reverse operation of the PHP serialize() function. This module, based on the PHP serialization protocol, parses the syntax structure of the serialized format, including type identifiers (such as i, s, a, or O), length metadata, and recursive data structures. The decoding process includes type validation, memory safety checks, and object graph reconstruction, supporting the full parsing of scalar types, compound types, and object serialization.
Example:
Input:
payload=O:5:"Hello":1:{s:4:"desc";s:6:"World!";}Output:
key:payload.Hello.desc,value:World!
Java Deserialization
Description: Java Deserialization is based on the Java serialization protocol and implements the reverse operation of ObjectInputStream. This module parses the binary format of the Java serialization stream, including class descriptors, field metadata, and object state information. The decoding process follows the JVM serialization specification and supports the recursive parsing of complex object graphs.
Example:
Input:
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAFSGVsbG90AAZXb3JsZCF4Output: extracted Java class:
java.util.HashMap
UTF-7 Decoding
Description: The UTF-7 decoding engine is implemented based on the RFC 2152 standard for variable-length character encoding conversion. This module processes UTF-7 encoding markers (+/-) and Base64-encoded Unicode character sequences. The decoding algorithm supports Unicode transmission in 7-bit ASCII environments, including encoding state machines, character set switching, and compatibility with traditional protocols, making it suitable for email systems and MIME message transmission scenarios.
Example:
Input:
+/v8 +AEgAZQBsAGwAbwAgAFcAbwByAGwAZAAh-Output:
Hello World!
Unicode Decoding
Description: Unicode Decoding is a character encoding conversion mechanism based on the Unicode standard (ISO/IEC 10646). This module implements the parsing of UTF-16 escape sequences, supporting the \uXXXX four-byte hexadecimal notation and the \u{XXXXXX} extended format. The decoding process follows the Unicode 15.0 specification to ensure standardized character encoding.
Example:
Input:
\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064\u0021Output:
Hello World!
URL Decoding
Description: URL Decoding is based on the RFC 3986 standard and implements the reverse conversion of Percent-Encoding. This mechanism handles the encoding of reserved characters, non-ASCII characters, and special characters in the generic URI syntax. The decoding algorithm follows the application/x-www-form-urlencoded MIME type specification and supports the standard parsing of HTTP request parameters.
Example:
Input:
Hello%20World%21Output:
Hello World!
Hex Decoding
Description: Hexadecimal Decoding implements the conversion from a hexadecimal string to binary data based on the RFC 4648 standard. This module uses Big-Endian byte order and supports the standard hexadecimal character set (0-9, A-F, a-f). The decoding process includes input validation, character normalization, and byte alignment.
Example:
Input:
\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21Output:
Hello World!
Octal Decoding
Description: The Octal decoding engine processes character encodings that are represented by a backslash followed by octal digits, such as
\123. This module converts octal numbers to their corresponding characters based on the ASCII lookup table, supports the standard octal range of 0–377 (equivalent to 0–255 in decimal), and can batch parse octal escape sequences in mixed text.Example:
Input:
\110\145\154\154\157\040\127\157\162\154\144\041Output:
Hello World!
Decompression
Gzip Decompression
Description: The Gzip decompression engine is implemented based on the RFC 1952 standard and uses the decompression mechanism of the DEFLATE compression algorithm. This module handles the header parsing of the Gzip file format (magic number 0x1f8b, compression method, flags), CRC32 checksum, and decompression of compressed data blocks. The decoding algorithm supports stream processing and batch decompression, including state machine management, multi-member file handling, and error recovery mechanisms. It is suitable for web transmission, file archiving, and data compression scenarios.
Example:
Input: binary file data
1f 8b 08 00 11 39 00 69 00 ff 01 0c 00 f3 ff 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 a3 1c 29 1c 0c 00 00 00(presented in hexadecimal format for readability)Output:
Hello World!
Preprocessing
Comment Stripping
Description: The comment removal module is implemented based on the SQL standard and MySQL extended syntax to identify and remove comment syntax. This module supports two comment formats defined by the ANSI SQL standard: single-line comments (-- followed by any characters to the end of the line) and multi-line comments (any character sequence enclosed by /* */). It is also compatible with MySQL's specific conditional comment syntax (/*! ... */). The process includes comment marker identification, nested comment handling, version condition parsing, and syntax boundary validation. By removing comment content, this enhances the accuracy of the WAF rules engine in detecting malicious SQL statements and effectively reduces the risk of attackers bypassing rules using comments.
Example:
Input:
/*!40101 SET */@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;Output:
@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;
Whitespace Compression
Description: The whitespace compression module implements a normalization mechanism for whitespace characters. It detects sequences of consecutive whitespace in the input string and compresses multiple consecutive spaces into a single space. The process handles leading, trailing, and intermediate consecutive whitespaces to ensure text format standardization and consistency.
Example:
Input:
Hello World!Output:
Hello World!