All Products
Search

This Product

    Web Application Firewall:Protect web applications with bot management

    Document Center

    Web Application Firewall:Protect web applications with bot management

    Last Updated:Dec 04, 2025

    Create a bot management web protection template to secure your web applications, such as websites, H5 pages, and H5 pages embedded in mobile apps, from threats such as malicious crawlers, automated script attacks, and scalper bots.

    Procedure

    Go to the Web Protection page. In the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of your Web Application Firewall (WAF) instance. Click Create Template.

    Step 1: Define the protection scenario

    1. Enter a Template Name and Template Description.

    2. Select the Traffic Characteristics. You can choose between Global and Customize Match Conditions.

      • Global: Applies to scenarios that involve only web or H5 environments.

      • Customize Match Conditions: Applies to scenarios that involve app or miniapp environments in addition to web or H5 environments, or scenarios where you need to protect specific business endpoints, such as logon or flash sale endpoints.

        Global

        If you select Global, you do not need to define specific match conditions.

        Customize Match Conditions

        WAF matches requests based on the conditions you define. Click Add Condition to add a condition. Each condition consists of a Match Field, a Logical Operator, and the Match Content. The following table provides configuration examples.

        Note

        If a rule has multiple conditions, a request must meet all of them (a logical AND) to hit the rule. For more information about match fields and logical operators, see Match conditions.

        Match Field

        Logical Operator

        Match Content

        Description

        URI Path

        Contains

        /login.php

        Matches if the request path contains /login.php.

        IP

        Belongs to

        192.1.XX.XX

        Matches if the client IP is 192.1.XX.XX.

    3. Select whether to Exclude Static Files. Requests for static files usually do not involve business logic, and their content is not susceptible to injection attacks. Excluding static files can reduce the detection workload and allow WAF to focus on protecting dynamic APIs. We recommend selecting the default static file types. You can also add custom types.

    4. Click Create Template.

    Step 2: Edit template rules

    1. On the Edit page, in the CAPTCHA Verification section, click Edit to configure the CAPTCHA rules.

      1. Select a verification mode. JavaScript Validation and Token-based Authentication are supported.

        • JavaScript Validation: Suitable for low-intensity daily protection scenarios.

        • Token-based Authentication: Suitable for high-intensity adversarial scenarios. We recommend enabling this mode during critical protection periods, such as a few minutes before a major sales promotion.

          JavaScript Validation

          When a rule is triggered, WAF returns a block of JavaScript code. A standard browser client executes the code to obtain a pass token and resends the request. Malicious traffic is blocked because it does not carry the pass token. Once authenticated, the client can make subsequent requests for a set period (30 minutes by default) without further verification.

          Token-based Authentication

          When a rule is triggered, WAF returns a block of JavaScript code. A standard browser client executes the code to sign the request and resend it. WAF blocks malicious requests that lack the required signature. Options include the following:

          • Signature Timestamp Exception: Blocks requests if the signature timestamp is abnormal.

          • WebDriver Attack: Blocks requests if a WebDriver attack is detected.

      2. In the Canary Release section, you can configure the percentage of traffic that is affected by the rule based on a dimension. After you enable canary release, you must set a Dimension and a Canary Release Proportion. The available options for Dimension are IP, Custom Header, Custom Parameter, Custom Cookie, Session, and Web UMID.

        Note

        A canary release takes effect based on the configured Dimension, not by randomly applying the rule to a percentage of requests. For example, if the Dimension is IP and the Canary Release Proportion is 10%, WAF selects approximately 10% of the IP addresses. WAF then applies the rule to all requests from these selected IP addresses, not to a random 10% of all requests.

      3. In the Effective Mode section, select when the rule takes effect.

        • Permanently Effective (Default): The rule is always active when the protection template is enabled.

        • Fixed Schedule: The protection rule is active only during a specified time period.

        • Recurring Schedule: The protection rule is active only during a specified recurring schedule.

    2. In the Risk Identification section, you can click Create to create a fraud detection rule. This feature blocks access from suspicious phone numbers by checking them against WAF's built-in phone number reputation database. It is suitable for scenarios such as phone number-based logon and registration. For more information, see Fraud Detection.

    3. In the Policy Configurations section, rules are categorized into three types based on common bot features identified from Alibaba Cloud's extensive experience: Malicious Bot, Suspected Bot, and Legitimate Bot. You can click the image icon in the Status column of a rule to enable or disable it, or click Edit to modify it.

      Important

      • Risk of false positives: Some of the following rules carry a risk of false positives, and improper configuration may cause legitimate requests to be blocked. Before you enable rules in a production environment, we recommend that you set the Actions to Monitor, or use Canary Release. We recommend that you first test and fine-tune the rules in a non-production environment based on your business characteristics before you deploy them to production.

      • Statistics for CC-based rules: All CC counting rules (such as Few Access Paths from IP Address) trigger an immediate action once the threshold is reached within the configured statistical period. The system does not wait for the statistical period to end. After a statistical object is added to the blacklist, if requests from the object continue to trigger the rule, the system continues to count the requests and refreshes the blacklist timeout period for the object.

      1. Configuration recommendations

        Malicious Bot

        Rule category

        Rule name

        False positive risk

        Browser probe

        Developer tools, emulator tools

        Low

        Abnormal browser environment

        Low

        Automation tools, headless browsers

        Low

        Abnormal system environment

        Low. May affect some users on the Windows XP operating system.

        Abnormal timestamp

        Medium. May block requests submitted from a webpage that has been open for more than 2 hours without being refreshed.

        Abnormal Web SDK version

        Low. May affect users with older, manually integrated versions of the web SDK.

        Device spoofing

        Device hardware information spoofing, browser attribute spoofing, operating system and environment spoofing

        Low

        Collected information spoofing, network and geolocation spoofing

        Low. If a Layer 7 proxy, such as CDN or Anti-DDoS, is deployed in front of WAF and the proxy setting is not enabled, inaccurate source IP identification may cause false positives.

        Crawler clients

        AI crawler traffic, such as Meta-ExternalAgent, perplexitbot, and chatgpt

        Low

        Python tool traffic

        Low

        Crawler tool traffic

        Low

        Suspected Bot

        Rule category

        Rule name

        False positive risk

        Behavior analytics

        All rules

        Medium. May block users with low mouse sensitivity.

        Script clients

        All rules

        Low. The impact depends on your business. For example, the Okhttp tool traffic rule cannot be enabled in a native app environment. The Dart tool traffic rule cannot be enabled if your service is built with Flutter.

        IDC data centers

        All rules

        Medium. May block legitimate traffic in scenarios such as payment callbacks, access from Alibaba Cloud Elastic Desktop Service, or when a Layer 7 proxy is deployed in front of WAF without the proxy setting enabled.

        Threat intelligence

        Forged search engine spiders

        Low

        Bot threat intelligence IP library, bot threat intelligence fingerprint library

        Medium. In scenarios with shared public egress IP addresses, such as residential or corporate networks, or when a Layer 7 proxy is deployed in front of WAF without the proxy setting enabled, inaccurate source IP identification can cause false positives. Set the action to Slider or JavaScript Validation.

        Intelligent protection

        Abnormal path sequence, abnormal device, malicious group behavior, abnormal resource distribution, time-series anomaly

        Medium. In scenarios with shared public egress IP addresses, such as residential or corporate networks, or when a Layer 7 proxy is deployed in front of WAF without the proxy setting enabled, inaccurate source IP identification can cause false positives. Set the action to Slider or JavaScript Validation.

        Session anomaly

        High. In scenarios with shared public egress IP addresses, such as residential or corporate networks, or when a Layer 7 proxy is deployed in front of WAF without the proxy setting enabled, inaccurate source IP identification can cause false positives. Set the action to Slider or JavaScript Validation.

        Access behavior analysis

        Persistent access without collected information, persistent access without session

        Low. Web SDK integration is required. Otherwise, no information is collected.

        Bulk replay of interaction trajectories

        Low

        Frequent IP changes for the same session, frequent IP changes for the same device

        Low

        Few IP access paths, many IP access paths, frequent changes in client types, frequent UA changes for the same IP

        Medium. In scenarios with shared public egress IP addresses, such as residential or corporate networks, or when a Layer 7 proxy is deployed in front of WAF without the proxy setting enabled, inaccurate source IP identification can cause false positives. Set the action to Slider or JavaScript Validation.

        Legitimate Bot

        Rule category

        Rule name

        False positive risk

        Normal clients

        All rules

        Keep the default configuration to allow these requests.

      2. Edit rule actions

        Configuration item

        Description

        JavaScript Validation

        WAF returns a block of JavaScript validation code to the client. A standard browser automatically executes this code. If the client completes execution successfully, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.

        Block

        Blocks requests that match the rule and returns a block page to the client.

        Note

        WAF uses a default block page. You can also create a custom block page using the Custom Response feature.

        Monitor

        This action does not block requests that match the rule but only logs the requests. When you test a rule, you can first use the Monitor mode to analyze WAF logs and confirm that no false positives occur. Then, you can change the rule to a different action.

        Slider CAPTCHA

        WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.

        Strict Slider CAPTCHA

        WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, the current request is allowed. Otherwise, the request is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.

        Add Tag

        You can define a custom header name and content, including rule type, rule ID, and web UMID. WAF does not process the request directly but instead adds a header to forward the hit information to the origin server. You can integrate this with your backend risk control system for business-side processing.

        Note

        When JavaScript Validation or Slider CAPTCHA is enabled, WAF sets a cookie named acw_sc__v2 (for JavaScript Validation) or acw_sc__v3 (for Slider CAPTCHA) in the Set-Cookie header of the response. The client includes this identifier in the Cookie header of subsequent requests.

      3. Edit Canary Release and Effective Mode.

    4. Click Next.

    Step 3: Select the effective scope

    On the Configure Effective Scope page, select the protected objects or protected object groups, click the image icon to add them to the Selected area, and then click OK.

    Step 4: Integrate the web SDK

    Important

    • Bot mitigation capabilities depend on the information collected by the software development kit (SDK). If you skip this step, your applications will not be fully protected. We strongly recommend that you integrate the SDK.

    • If the protected object involves internal cross-region endpoints, enable automatic integration for the corresponding domain names on the Web SDK Integration page, or manually integrate the SDK.

    Alibaba Cloud provides a JavaScript-based SDK to enhance protection for web browsers and resolve potential compatibility issues. Two integration methods are available: automatic and manual.

    • Automatic integration: Enable integration with a single click. You do not need to modify your business code.

    • Manual integration: Automatic injection of the Web SDK is not supported for protected objects that are added to WAF using Application Load Balancer (ALB), Microservices Engine (MSE), API Gateway (APIG), Function Compute (FC), or Serverless App Engine (SAE). You must manually integrate the Web SDK.

    Automatic integration

    In the upper-right corner of the Web Protection page, click Web SDK Integration. Then, enable automatic web SDK injection for the protected object.image

    Note

    • After you create a web protection template and enable automatic web SDK integration, the ssxmod_itna, ssxmod_itna2, and ssxmod_itna3 cookies are inserted into the HTTP header to collect client browser fingerprint information. This information includes the host field of the HTTP header, browser height and width, and other details.

    • After you enable automatic integration, the system automatically injects the SDK into the HTML pages of the corresponding protected objects. The SDK is used to collect browser environment information, probe data for illicit tools, and operation behavior logs. It does not collect sensitive personal information.

    Manual integration

    In the upper-right corner of the Web Protection page, click Web SDK Integration, and then click Obtain SDK. Place the obtained <script> tag before all other <script> tags on your page to ensure it loads first.

    Routine O&M

    • Edit a template

      Click Edit in the Actions column for the target template. Modify the template in the Edit panel.

    • Delete a template

      Click Delete in the Actions column for the target template. In the Delete dialog box, confirm the information and click OK.

    • Copy a template

      Click Copy in the Actions column for the target template. In the Copy dialog box, confirm the information and click OK.

    • Enable or disable a template

      Click the image switch in the Status column for the target template to enable or disable it.

    • View rules

      Click the image icon for the target template to view its rules. Click the image switch in the Status column for the target rule to enable or disable it.

    Going live

    To avoid service disruptions, do not create and enable new templates directly in a production environment. Follow the deployment process below.

    1. Configure a whitelist: Before you create a template, we recommend that you create a whitelist rule to add trusted IP addresses to the whitelist. This prevents trusted requests from being incorrectly blocked by new rules.

    2. Perform canary testing: After the template is created, you can use one of the following three methods to observe and test it before you deploy it to your production environment.

      • Apply the rules to a non-production environment for testing.

      • Set the Actions to Monitor.

      • Enable Canary Release.

    3. Analyze test results: After the template has been running for a period of time, check the security reports and logs to check for false positives among the requests that triggered the rules.

    4. Apply to the production environment: After you confirm that the false positive rate is within an acceptable range, change the rule action as needed and apply the template to your production environment.

    5. Continuously monitor and optimize: Continuously monitor security reports and logs. Dynamically adjust and optimize the rules based on business changes and their actual effectiveness.

    Quotas and limitations

    • The Browser Probe, Device Forgery, Operation Behavior Analysis, AI Protection, and Access Behavior Analysis rules in the Policy Configuration section require Web SDK integration to function correctly.

    • The Crawler, Script Client, AI Protection, and Access Behavior Analysis rules in the Policy Configurations section do not support protected objects that are added to WAF using ALB, MSE, API Gateway, FC, or SAE.

    • Automatic integration of the Web SDK is not supported for protected objects that are added to WAF using ALB, MSE, API Gateway, FC, or SAE. You must integrate the Web SDK manually.