Web Application Firewall (WAF) provides end-to-end security protection for your websites or apps. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to your origin servers. This protects your origin servers against attacks and ensures data and service security.


Feature Description
Service specifications WAF provides four editions: Pro Edition, Business Edition, Enterprise Edition, and Exclusive Edition. All of these editions can protect websites by monitoring and filtering HTTP and HTTPS traffic.
Web application protection Protection against common web application attacks
  • Protection against common Open Web Application Security Project (OWASP) attacks: The common OWASP attacks include SQL injection, cross-site scripting (XSS), webshell upload, backdoors, command injection, unauthorized HTTP requests, common vulnerabilities of web servers, unauthorized access to core files, path traversal, and scan attacks.
  • Hiding of origin IP addresses: WAF prevents origin IP addresses from being exposed. Attackers cannot bypass WAF to attack origin servers.
  • Regular and timely updates of patches for zero-day vulnerabilities: WAF updates patches at the earliest opportunity to protect your websites.
  • User-friendly monitoring mode: You can enable this mode to monitor new website services. To help measure false positives, WAF sends an alert when suspicious traffic that matches specified protection rules is detected instead of blocking the traffic.
Precise protection
  • WAF can parse HTTP data in common formats. The HTTP data includes header, form, multipart, JSON, and XML data.
  • WAF can decode data of the following encoding methods: URL encoding, JavaScript Unicode encoding, HEX encoding, HTML entity encoding, Java serialization, PHP serialization, Base64 encoding, UTF-7 encoding, UTF-8 encoding, and nested encoding.
  • WAF can preprocess data to provide more fine-grained and accurate data sources for detection engines at the upper layer. The preprocessing mechanisms include space compression, comment pruning, and special character processing.
  • WAF can detect complex data. WAF supports specific complexity in detection logic to prevent false positives caused by sensitive detection operations. WAF also supports adaptive decoding of data encoded in different formats to prevent bypassing.
Protection against HTTP flood attacks
  • WAF restricts the frequency of requests from a specific origin IP address by using different methods, such as CAPTCHA verification and redirection for authentication.
  • To protect against a large number of slow HTTP attacks, WAF executes precise protection rules based on statistical data, such as the distribution of status codes, distribution of requested URLs, abnormal HTTP Referer headers, and User-Agent characteristics.
  • WAF takes full advantage of Alibaba Cloud big data security solutions to build analysis models for threat intelligence and trusted access. These models can help identify malicious requests.
Fine-grained access control
  • In the WAF console, you can combine different HTTP fields, such as IP, URL, Referer, and User-Agent fields, to configure protection rules and implement fine-grained access control. You can configure custom protection rules to provide protection in different scenarios, such as hotlink protection and website background protection.
  • This module can be used together with other security modules such as web security and HTTP flood protection to build a multi-layer protection architecture. This way, WAF can identify trusted and malicious traffic in a fine-grained manner.
Virtual patching Before the patches for web application vulnerabilities are released or installed, you can adjust web protection rules to protect your services.
Attack event management WAF allows you to manage attack events based on statistical data, such as attack events, attack traffic, and attack scales.
Flexibility and reliability
  • Load balancing: WAF can provide services in cluster mode. WAF uses multiple servers to balance loads and supports different scheduling algorithms.
  • Smooth and elastic scaling: You can add servers to or remove servers from a cluster to adjust the WAF service capability based on your business requirements.
  • Elimination of single points of failure (SPOFs): If a WAF node fails or is repaired, WAF can still provide services.

For more information, visit the product page of Web Application Firewall.


Benefit Description
More than 10 years of web security experience
  • WAF is built on more than 10 years of web security experience of Alibaba Group and provides the same security experience as Tmall, Taobao, Alipay, and other well-known applications.
  • A professional security team provides security services for you.
  • WAF defends against known OWASP vulnerabilities and constantly fixes disclosed vulnerabilities.
Protection against HTTP flood attacks and crawler attacks
  • WAF mitigates HTTP flood attacks.
  • WAF defends against web crawlers to prevent excessive network resource consumption.
  • WAF detects and blocks malicious requests that may affect availability, compromise response latency, or consume excessive resources, such as bandwidth, database, SMS, and API resources.
  • WAF allows you to configure custom protection rules for various business scenarios.
Integration with big data capabilities
  • WAF can defend against hundreds of millions of attacks every day.
  • WAF provides an IP address library that contains a large number of IP addresses.
  • WAF provides a wide range of use cases to help obtain the patterns, methods, and signatures of various common network attacks.
  • WAF is continuously integrated with advanced technologies for big data analytics.
Ease of use and reliability
  • You can activate and configure WAF within 5 minutes.
  • You do not need to install software or hardware or adjust routing configurations.
  • Protection clusters are used to prevent SPOFs and redundancy.
  • WAF provides high traffic processing performance.


WAF is suitable for all users on and outside Alibaba Cloud. WAF helps protect web applications in industries such as finance, e-commerce, online-to-offline (O2O), Internet Plus, gaming, public services, and insurance.

Note If you use WAF to protect your services, you must add the domain names of your services to WAF. You cannot add IP addresses to WAF.

Use of WAF

After you purchase a WAF instance, you can add the domain name of your website to WAF in CNAME record mode or transparent proxy mode.
  • CNAME record mode

    You can add your website to WAF in CNAME record mode regardless of whether your origin servers are deployed in the cloud or on on-premises machines.

    The CNAME record mode allows you to use WAF by adding the domain name of the website that you want to protect to WAF and changing the DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF. For more information, see Add a domain name.

  • Transparent proxy mode

    If your origin server is an Elastic Compute Service (ECS) instance or is added to an Internet-facing Server Load Balancer (SLB) instance, you can use either the CNAME record mode or the transparent proxy mode to add your website. The transparent proxy mode is based on cloud-native technologies.

    The transparent proxy mode allows you to use WAF by adding the domain name of the website that you want to protect to WAF without changing the DNS record. This way, traffic traveling to the website is forwarded to and protected by WAF.

Compliance certifications

WAF has passed various authoritative certifications. The certifications include ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR certification, Cybersecurity in China Multi-level Protection Scheme (MLPS 2.0) Level III, Service Organization Control (SOC) 1, 2, and 3, Cloud Computing Compliance Controls Catalog (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Providers Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS).