All Products
Search

This Product

    Web Application Firewall:Configure data leakage prevention

    Document Center

    Web Application Firewall:Configure data leakage prevention

    Last Updated:Apr 22, 2026

    After a website is onboarded to Web Application Firewall (WAF), you can enable the data leakage prevention feature for it. Data leakage prevention filters sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words, from server responses (such as error pages or keywords). The feature then desensitizes the sensitive information for display or returns a default error page.

    Important

    The data leakage prevention feature currently supports data formats used in the Chinese Mainland, such as ID card numbers, mobile phone numbers, and credit card numbers. It does not support formats for these data types from outside the Chinese Mainland.

    Prerequisites

    • You have activated a WAF instance that meets the following requirements:

      • If the instance region is Chinese Mainland, the instance must be Pro or higher.

      • If the instance region is Outside Chinese Mainland, the instance must be Enterprise or higher.

    • Your website has been added to WAF. For more information, see Tutorials.

    Background information

    The data leakage prevention feature in WAF is a security solution that protects personal information and complies with data security regulations. It provides data masking and alerting for sensitive data found on your website, such as mobile phone numbers, ID card numbers, and credit card numbers. The feature also allows you to block responses based on specific HTTP status codes.

    Features

    Common causes of data leakage include unauthorized URL access, privilege escalation vulnerabilities, and malicious web scraping. To mitigate these risks, the data leakage prevention feature provides the following capabilities:

    • It detects sensitive personal data, such as ID card numbers, mobile phone numbers, and credit card numbers, on your web pages and provides protective measures like alerts and data masking to prevent data breaches.

      Important

      The data leakage prevention feature currently supports data formats used in the Chinese Mainland, such as ID card numbers, mobile phone numbers, and credit card numbers. It does not support formats for these data types from outside the Chinese Mainland.

    • It prevents the exposure of sensitive server information, such as the type and version of web application software and operating systems, by blocking such responses.

    • It uses a built-in library of sensitive keywords to detect their presence on your web pages and provides protective actions like alerts and keyword masking.

    How it works

    Data leakage prevention inspects response pages for sensitive information, such as ID card numbers, mobile phone numbers, and credit card numbers, based on the rules you configure. When WAF finds a match, it takes the specified action, which can be to generate an alert or filter the sensitive information. The filtering action masks the data by replacing parts of it with asterisks (*).

    The data leakage prevention feature supports Content-Types such as text/*, image/*, and application/*, covering web applications, mobile apps, and API interfaces.

    Procedure

    1. Log on to the Web Application Firewall (WAF) console. In the top menu bar, select the resource group and region for your WAF instance: Chinese Mainland or Outside Chinese Mainland.

    2. In the left navigation pane, choose Protection Config > Website Protection.

    3. On the Website Protection page, switch to the domain name to configure.切换域名

    4. Click the Web Security tab, find the Data Leakage Prevention section, turn on the Status switch, and then click Configure Now.

      Important

      • You must enable data leakage prevention before you can create protection rules.

      • After you enable data leakage prevention, WAF inspects all requests to your website by default. You can configure a data security whitelist to allow requests that meet specific conditions to bypass this inspection. For more information, see Configure a data security whitelist.

    5. Create a data leakage prevention rule.

      1. On the Data Leakage Prevention page, click Create Rule.

      2. In the Create Rule dialog box, configure the following parameters.

        Parameter

        Description

        Rule Name

        Enter a name for the rule.

        Match Condition

        Define the type of sensitive information to detect in the response. Valid values:

        • Status Code: 400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405-499, and 505-599

        • Sensitive Information: ID Card Number, Credit Card Number, Mobile Phone Number, and Default Sensitive Word

        Important

        The data leakage prevention feature currently supports data formats used in the Chinese Mainland, such as ID card numbers, mobile phone numbers, and credit card numbers. It does not support formats for these data types from outside the Chinese Mainland.

        You can select one or more types for Status Code and Sensitive Information.

        If you select AND, you can also specify a URL to limit the detection to a specific page.

        Action

        Define the action to take when a match is found in the response.

        • If the Status Code is Status Code, the following actions are available:

          • Alert: Generates an alert.

          • Block: Blocks the response and returns a block page.

        • If the Sensitive Information is Sensitive Information, the following actions are available:

          • Alert: Generates an alert.

          • Filter Sensitive Information: Masks the sensitive information.

        Rule configuration examples

        • Mask sensitive information: To mask sensitive information such as mobile phone numbers and ID card numbers, create a rule with the following settings:

          • Match Condition: Sensitive Information contains ID Card Number and Mobile Phone Number.

          • Action: Filter Sensitive Information.

          After this rule is applied, all mobile phone numbers and ID card numbers on your website are automatically masked.

          Important

          This rule may also mask publicly displayed phone numbers, such as those for business inquiries or support hotlines.

        • Block by status code: To block or generate alerts for specific HTTP status codes to prevent server information leakage, create a rule with the following settings. This example blocks responses with an HTTP 404 status code.

          • Match Condition: Status Code contains 404.

          • Action: Block.

          After this rule is applied, if a user requests a non-existent page on your website, WAF returns a block page.

        • Filter sensitive information on a specific URL: To filter sensitive information like ID card numbers on a specific page, create a rule with the following settings. This example filters ID card numbers on the admin.php page.

          • Match Condition: Sensitive Information contains ID Card Number, and URL contains admin.php.

          • Action: Filter Sensitive Information.

          After this rule is applied, only the ID card numbers on the admin.php page are automatically masked.

      3. Click OK.

        After a rule is created, it is activated automatically. You can view, edit, or delete the rule from the rule list.

    Next steps

    After you enable data leakage prevention, go to the Security Report page to view the logs of filtered or blocked requests in the Web Security > Data Leakage Prevention report. For more information, see WAF security reports.