This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.


Release dateFeatureDescriptionReferences
2022-11-23Support for WAF protection for Layer 4 Classic Load Balancer (CLB) instances, Layer 7 CLB instances, and Elastic Compute Service (ECS) instancesYou can specify traffic redirection ports to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF.
2022-11-17Support for specification downgrade in the WAF consoleYou can downgrade the following specifications in the WAF console: extended queries per second (QPS), burstable QPS threshold, extra domains, and log storage capacity. Upgrade and downgrade WAF instances
2022-10-30Available API operations in WAF 3.0API operations for common configurations in the console are provided to allow you to perform batch processing. API overview
2022-10-27Support for the burstable QPS (pay-as-you-go) feature and sandbox feature in WAF 3.0The burstable QPS (pay-as-you-go) feature is suitable for scenarios in which expected traffic spikes or unexpected traffic spikes occur, such as traffic spikes during promotional events. In these scenarios, the peak traffic may exceed the sum of the QPS specifications that are supported by your WAF edition and extended QPS specifications. If you enable this feature, you are charged based on the usage of excess QPS resources. The feature helps ensure service continuity and prevents your domain names from being added to a sandbox when the peak service traffic exceeds the current QPS specifications. None
2022-10-19Support for the monitoring and alerting feature in WAF 3.0You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business in a timely manner. Configure WAF alerting
2022-09-23Support for custom header fields that record the source ports of clientsIf you select Enable Traffic Mark and then select Source Port when you add a website to WAF, you can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client. Add a domain name
2022-08-24Support for custom timeout periods for back-to-origin requestsWhen you add a website to WAF, you can specify custom timeout periods for new connections, read connections, and write connections based on your business requirements. Add a domain name
2022-08-12Support for the transparent proxy mode in WAF 2.0If your origin server is an ECS instance or is added to a Server Load Balancer (SLB) instance, you can add a website to WAF in transparent proxy mode. Add a website in transparent proxy mode
2022-07-22Support for data leakage prevention in WAF 3.0The data leakage prevention module filters abnormal content returned from the origin and masks sensitive information such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. Configure the data leakage prevention module
2022-07-22Support for website tamper-proofing in WAF 3.0The website tamper-proofing module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering. Configure the website tamper-proofing module
2022-07-20Support for the subscription billing method in WAF 3.0If you use the subscription billing method, you must pay subscription fees before you use the service. This billing method allows you to reserve resources and reduce costs based on discounted rates. Subscription billing method
2022-07-14Support for the asset center feature in WAF 3.0You can use the asset center feature to identify domain names on Alibaba Cloud and outside Alibaba Cloud, and assess risks based on the attack status of the domain names on the cloud. This way, you can obtain the overall protection status of your domain names. Asset Center
2022-06-23Support for bot management in WAF 3.0This feature allows you to configure custom anti-crawler rules for websites and apps based on your business requirements and protects your business from malicious crawlers.
2022-05-30Support for major event protection in WAF 3.0You can use a protection plan to configure cookie security-related capabilities and protection capabilities based on protection rule groups for major events, IP address blacklists, and collaborative defense. This helps improve protection for customers in attack-and-defense scenarios. None
2022-04-21Support for HTTP flood protection in WAF 3.0The HTTP flood protection module helps defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients. Configure the HTTP flood protection module
2022-04-21Support for region blacklist in WAF 3.0The region blacklist module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests. Configure the region blacklist module
2022-04-18Support for dynamic token-based authentication in WAF 2.0Dynamic token-based authentication is integrated into the scenario-specific anti-crawler rule configuration feature. This way, you can solve the security and compatibility issues of CAPTCHA verification. You can add a signature to a web request to perform dynamic token-based authentication. When a client sends a request, WebSDK provided by WAF generates a signature for the request. The signature is sent together with the request to WAF. If the signature is verified, the request is forwarded to the origin server. If the signature fails the authentication, a code block is returned for the client to obtain a dynamic token and the client must add a signature to the request again. Configure anti-crawler rules for websites
2022-01-22Release of WAF 3.0WAF 3.0 allows you to add websites in CNAME record mode that is also supported in WAF 2.0. WAF 3.0 is integrated into the cloud-native architecture of other cloud services such as Application Load Balancer (ALB). This way, you can add websites in cloud-native mode. WAF 3.0 provides more features and a new console to allow you to configure protection settings in an efficient manner to improve user experience. Release notes for WAF 3.0
2022-01-19Support for intelligent rule hosting in the protection rules engine feature of WAF 2.0The feature allows you to configure the protection rules engine to protect your websites against common web attacks. The common web attacks include SQL injections, cross-site scripting (XSS) attacks, webshell uploads, command injections, backdoor isolation, invalid file requests, path traversal, and common application attacks. Configure the protection rules engine feature


Release dateFeatureDescriptionReferences
2021-09-18Support for custom header fields that record the actual IP addresses of clientsCustom header fields can be used to record the actual IP addresses of clients. When you add a website to WAF, you can enable the WAF traffic marking feature and configure custom header fields to record the actual IP addresses of clients. After you enable the WAF traffic marking feature, origin servers can obtain the actual IP addresses of clients from custom header fields that are included in WAF back-to-origin requests.

You can use the WAF traffic marking feature only after you configure the custom header fields that can record the actual IP addresses of clients for the origin servers.

Add a domain name
2021-08-13Upgraded Log Service for WAFThe Log Service for WAF feature is upgraded.
  • Some log fields are added. Log fields are classified into optional fields and required fields. By default, the first time you enable the Log Service for WAF feature, only the required fields are included in logs. You can modify the log settings to include optional log fields in logs.
  • Log settings can be modified. For example, you can change the log storage period, modify optional log fields, and change the log storage type on the Log Settings page. The log storage type can be Logs or Block Logs.
  • Logs can be queried by using search conditions. After you specify search conditions, the system automatically generates the query statement.
Log fields supported by WAF

Modify log settings

2021-07-30Support for origin SNIYou can select Enable Origin SNI when you add a website to WAF in CNAME record mode. If your website uses HTTPS and the origin server hosts multiple domain names, you can enable this feature after you select HTTPS. This way, you can add a Server Name Indication (SNI) field in a WAF back-to-origin request to specify the domain name that you want to access. Add a domain name
2021-06-22Support for server ports in custom protection policiesThe Server-Port field is added and can be used as a match field in custom protection policies. The field is supported only for WAF instances that run Enterprise Edition or higher. Fields in match conditions
2021-05-11Support for console-based cluster deployment and node management in Hybrid Cloud WAFThe following features are supported by Hybrid Cloud WAF:
  • You can install the WAF agent on your on-premises servers to perform remote deployment, upgrade, and management of protection clusters.
  • You can configure the initial settings of your protection clusters in the WAF console. You can create node groups, add nodes to the node groups, and manage nodes in the node groups. The management operations include querying and deleting nodes from a node group.

Install the WAF agent

Deploy a protection cluster for Hybrid Cloud WAF
2021-05-08Support for custom header fields that are used to obtain actual IP addresses of clientsThe Obtain Source IP Address parameter is supported in CNAME record mode. If a Layer 7 proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, is deployed in front of WAF, you can use the value of the specified header field as the actual IP address of the client. If multiple header fields are specified, you can obtain the actual IP address of the client from the fields in sequence. Add a domain name
2021-04-01Support for IPv6 addresses of origin serversThe IPv6 addresses of origin servers can be specified for Destination Server (IP Address) in CNAME record mode. This feature is suitable for users that need to upgrade their network from IPv4 to IPv6 in the finance sector, government sector, and enterprise sector. Add a domain name
2021-03-23Support for threat event analysis on the Overview pageThe threat event analysis module is added to the Overview page. Threat events are generated based on the analysis of a large number of attack alerts. You can use this module to identify attack sources and defend against the attacks. This feature is suitable for scenarios in which your services are at risk of web attacks and you want to obtain threat events based on a large number of alerts. View Protection History on the WAF Overview Page
2021-03-18Support for false positive ignorance on the Security Report pageFalse positives can be ignored on the Security Report page. WAF can automatically generate whitelist rules for specific rules. You can also add whitelist rules for Web Intrusion Prevention based on specific rule IDs or rules types. This way, the user experience is improved. This feature is suitable for scenarios in which false positives must be managed at a fine-grained granularity without affecting protection configurations. View security reports
2021-01-29Release of the scenario-specific configuration featureThe scenario-specific configuration feature is released. You can use this feature to configure custom anti-crawler rules to protect your business from malicious crawlers. Configure anti-crawler rules for websites
2021-01-15Support for custom settings of TLS versions and cipher suitesTransport Layer Security (TLS) protocol versions and cipher suites can be selected based on your business requirements. This helps ensure security compliance and compatibility for HTTPS communication in different scenarios. This feature is suitable for scenarios in which some TLS protocols and cipher suites need to be disabled or enabled due to classified protection requirements and compatibility requirements. Configure custom TLS settings


Release dateFeatureDescriptionReferences
2020-10-21Optimized security reportThe security report feature is optimized to filter attack records by rule ID. View security reports
2020-06-04Optimized custom protection rule groups and Overview page
  • Rules in custom rule groups can be automatically updated to improve the security and availability of the groups.
  • The protection rule details and impact scopes of zero-day vulnerabilities are displayed on the Overview page.
Customize protection rule groups

View Protection History on the WAF Overview Page

2020-05-18Support for TerraformTerraform is supported to meet the O&M requirements of large enterprises. Terraform allows you to perform basic operations, such as domain name management and policy management, by using code.
Note This feature also enables automated operations in the console. This helps ensure high operational efficiency and eliminate human errors. For more information, see Terraform documentation.
2020-04-10Optimized user experienceData on the Overview page can be drilled down to the Security Report page, and data on the Security Report page can be drilled down to the Log Service page. As a result, the loop of data operations is enclosed.
  • Data in the Protection statistics section of the Overview page can be drilled down to the Security Report page. The ranking on the URL Requests tab shows the domain name information.
  • Statistics on the Access Control/Throttling tab of the Security Report page can be drilled down to the Log Service page. Custom access control rules that match access requests can be viewed and modified.
View Protection History on the WAF Overview Page

View security reports

2020-04-02Support for bot managementValue-added services such as bot management and app protection are supported to provide intelligent protection against automated attacks and intelligent protection for bot traffic. The bot management module ensures trusted connections to protect native apps and defends against bot script abuse.
Note The bot management module and app protection module are available only in the new protection engine that was released in January 2020. If you use a protection engine of an earlier version, we recommend that you upgrade your protection engine at the earliest opportunity.
Configure a whitelist for Bot Management

Overview of app protection

2020-03-04Support for intelligent load balancing among multiple SLB service nodesIntelligent load balancing is supported. WAF connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. Intelligent load balancing
2020-02-14Upgraded Log Service for WAF and optimized user experienceThe Log Service for WAF feature is upgraded. You can enable the full log feature for specific domain names. None
2020-02-10Upgraded alert featureThe alert notification feature is upgraded to provide basic statistics and details of security events and workload monitoring. Related alerts are provided to support routine O&M. Configure WAF alerting
2020-01-15Upgraded protection capabilitiesFine-grained throttling and robust protection against malicious network traffic are supported in the new protection engine of WAF. The account security feature can be enabled to protect against common HTTP flood attacks, dictionary attacks, and weak password sniffing.
Note The protection capabilities can be used by all users. Only the users who purchased WAF instances in the console can directly enable these capabilities. Existing users must wait until March 2020 before they upgrade their WAF instances to enable the protection capabilities.
Configure the protection rules engine feature


Release dateFeatureDescriptionReferences
2019-12-20Optimized features in the Exclusive editionFeatures in the WAF Exclusive edition are optimized. You can specify a custom request timeout period for your domain name. Create an exclusive cluster
2019-11-28Support for account security detectionThe account security feature is used to detect account security risks on logon interfaces. The risks include dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks. Configure account security
2019-10-25Release of the exclusive editionThe WAF Exclusive edition is released. The Exclusive edition allows you to configure custom items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition can meet your special requirements for web application protection. Create an exclusive cluster
2019-10-22Support for URL profiling for protected websitesURL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that is sent to websites. This way, you can configure custom protection policies for different websites. None
2019-10-16Data of website scan protection provided on the Overview pageThe volume of traffic that is blocked by the scan protection module, a list of blocked website scan attacks, attack details, and resolutions that are provided by security experts are displayed on the Overview page in the WAF console. View Protection History on the WAF Overview Page
2019-08-22Release of the positive security modelThe positive security model is based on algorithms for intelligent big data learning. This model is trained based on the historical network traffic of users in an iterative manner. This way, you can configure custom automatic protection policies. Configure the positive security model
2019-07-18Web attack details added to the Security Report pageWeb attack details are added to the Security Report page to indicate the specific causes of blocked attacks. This helps improve the efficiency of security O&M. View security reports
2019-06-27Protection for HTTP/2-compliant applicationsProtection for HTTP/2-compliant applications is supported. This feature increases the coverage rate of application protocols. This helps ensure that the applications of WAF users are fully protected. Add a domain name
2019-06-13Decoding methods of web request content in protection configurationCustom decoding methods for web request content can be configured in the protection configuration. Configure the protection rules engine feature
2019-05-30Optimized ACL rulesMultiple IP addresses or CIDR blocks can be added to ACL rules for condition matching. Create a custom protection policy
2019-05-30Optimized Overview pageThe Overview page in the WAF console is optimized. On this page, the system aggregates security operations events based on a large volume of log data and provides professional suggestions for event handling. This page also displays the number of attacks by type and the frequently attacked domain names. This way, the capabilities of WAF are optimized. View Protection History on the WAF Overview Page
2019-03-19Release of the threat intelligence featureThe threat intelligence feature is released. This feature provides a library that contains scan attack information. You can specify custom thresholds for network scan frequency and a time period for which you want to block malicious scan attacks based on the information. This feature is used to prevent scan attacks that use common signatures, such as path traversal. Configure scan protection
2019-01-03Support for custom countries and regions to block requestsThe region blacklist is supported. You can specify countries and regions to block all requests from the IP addresses in the specified countries and regions. Configure a blacklist


Release dateFeatureDescriptionReferences
2018-12-20Available API operations for website tamper-proofingAPI operations are available for website tamper-proofing. You can call these operations to update cached pages and add protection rules. None
2018-12-13Custom protection rule groups for web applicationsCustom protection rule groups for web applications can be configured. This way, you can configure rules based on your business requirements. This helps prevent false request blocking that is caused by default protection rules and ensure business security. Customize protection rule groups
2018-11-16Support for one-year storage of business logsWAF is integrated into Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. Overview
2018-10-24Support for traffic markingTraffic mark is supported. You can specify a header field name and value to mark the traffic that is forwarded by WAF. Add a domain name
2018-10-01Support for security events and alertsSecurity events and system alerts can be sent by text message or email. You can configure custom metrics to detect business exceptions at the earliest opportunity. Configure WAF alerting
2018-07-27Release of API operationsAPI operations for common configurations in the console are provided to allow you to perform batch processing. List of operations by function
2018-04-27Optimized precise access controlMore HTTP header fields can be used to configure ACL rules and filter access requests. Create a custom protection policy
2018-03-15Support for release of WAF instancesWAF instances can be released in the console based on business requirements. Terminate the WAF service


Release dateRelease notesDescription
2017-12-28Non-standard ports addedMore non-standard ports are supported for protection.
2017-11-24Support for multiple load balancing algorithmsMultiple load balancing algorithms can be selected as required to meet different business requirements.
2017-10-30Provided application security solutionsApplication security solutions are provided to protect your applications from traffic flooding attacks and data crawling.
2017-10-26Support for WebSocketWebSocket-compliant website service is supported.
2017-08-31Support for error code monitoringError codes can be monitored.
2017-08-31Support for query of service bandwidthThe uplink bandwidth usage and downlink bandwidth usage can be queried.
2017-08-31Support for the query of QPSThe QPS can be queried by instance or domain name.
2017-08-16Support for visualization of blackhole event detailsThe information such as attack thresholds and events that are generated when a blackhole event occurs can be viewed.
2017-07-27Release of exclusive WAF IP addressesExclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specific domain names.
2017-07-25Optimized precise access controlPolicies for risk control on allowed access requests and region blocking can be configured in precise access control rules.
2017-07-25Optimized CAPTCHA algorithmThe CAPTCHA algorithm in custom HTTP flood protection rules is optimized. This helps improve the accuracy in blocking HTTP flood attacks.
2017-07-25Support for more logical operatorsLogical operators such as "Does not exist" and "Value length range" are added to define precise access control rules.
2017-07-25Support for detection of more HTTP fieldsRules for detection of more HTTP fields are supported in precise access control.
2017-06-07Support for back-to-origin domain namesBack-to-origin addresses can be set to domain names in website configuration.
2017-05-25Release of the data leakage prevention featureA sensitive data leakage prevention scheme is released based on network security regulations.
2017-04-12HTTPS implementation with a few clicksHTTPS-based website access can be configured with a few clicks, without the need to modify the server configuration.
2017-04-12Support for non-standard ports in multiple editions of WAFNon-standard ports are supported in multiple editions of WAF for security protection.
2017-03-28Support for the big-data threat intelligence featureThe big-data threat intelligence feature is supported. Capabilities such as security score assessment, high-risk warning, and visualization of attack information are provided.
2017-03-08Optimized access experienceDNS records can be added with a few clicks.
2017-02-09Support for the website tamper-proofing featureThe website tamper-proofing feature is supported to protect web page data from being tampered.
2017-01-05Support for virtual hostsVirtual hosts (HiChina) are supported for website security protection.


Release dateRelease notesDescription
2016-12-21Release of WAF V3.1WAF V3.1 is released. This version improves the core protection capabilities of protection engines and provides features to allow you to perform operations such as blocking IP addresses from specific regions and configuring custom protection rules to block HTTP flood attacks.
2016-12-01Provided Intelligent Semantic Analysis EngineThe Intelligent Semantic Analysis Engine is provided. Compared with the RegEx Protection Engine, this engine helps reduce false positives.