After you add a website to Web Application Firewall (WAF), you can enable the website tamper-proofing feature for the website. The feature helps you lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, the page that is cached in WAF is returned. This way, malicious modification of web pages is prevented.



  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  5. Click the Web Security tab and find the Website Tamper-proofing section. Then, turn on Status and click Settings.
    Notice After the website tamper-proofing feature is enabled, all requests that are destined for your website are checked by the feature. You can configure a data security rule. This way, the requests that meet the specified conditions in the rule can bypass the check. For more information, see Configure a whitelist for Data Security.
    Website Tamper-proofing
  6. Create a website tamper-proofing rule.
    1. On the Website Tamper-proofing page, click Add Rule.
    2. In the Create Rule dialog box, configure the Service Name and URL parameters for the web page that you want to protect.
      • Service Name: Specify the name of the service that is provided on the web page.
      • URL: Specify the exact path of the web page. The path must start with http:// or https://. Wildcard characters or parameters are not supported. For example, you cannot specify /* or /abc? xxx=. The feature protects text data, HTML pages, and images in the specified path.
      Create a rule
    3. Click Confirm.
    By default, the rule is disabled after a website tamper-proofing rule is created. You can view the website tamper-proofing rule that you created in the rule list. The Protection Status switch of the rule is turned off. Protection status-disabled
  7. Enable the rule. Find the rule that you want to enable in the rule list and turn on Protection Status. Protection status-enabled
    If you request the specified web page after you enable the rule, the page that is cached in WAF is returned.
  8. Optional:Update cached data. Find the rule that is enabled in the rule list and click Refresh Cache in the Protection Status column.
    Notice If a protected web page is updated, click Refresh Cache to update the data that is cached in WAF. If you do not update the cached data when the protected page is updated, WAF returns the most recent page that is stored in the cache.