Web Application Firewall (WAF) is a security service that protects your website and app services. WAF identifies malicious traffic, scrubs and filters the traffic, and then forwards normal traffic to your web server. WAF protects your web server against attacks and ensures the security of your data and business.


  • Protect web applications against attacks.
  • Mitigate HTTP flood attacks and filter out malicious bot traffic to ensure the performance of your web server.
  • Provide solutions for business risk control to mitigate security risks, such as abuse of business APIs.
  • Support transmission of back-to-origin traffic over HTTPS or HTTP to reduce workloads of the origin server.
  • Provide precise access control for HTTP and HTTPS traffic.
  • Support real-time storage, analysis, and custom reporting of full logs over a long period of time. WAF can synchronize online logs with third-party platforms to help you meet compliance requirements for classified protection.

For more information, see Editions and features.

Use of WAF

After you purchase a WAF instance, you can add the domain name of your website to WAF. Then, you must resolve the domain name to the canonical name (CNAME) provided by WAF and configure the IP address of your origin server to enable WAF protection. After you enable WAF protection, all Internet traffic destined for your website is redirected to WAF. Then, WAF detects and filters out malicious traffic and forwards normal traffic to the IP address of your origin server. This ensures the security, stability, and availability of your origin server. For more information, see Add a website.


WAF supports the subscription billing method. You can purchase a WAF instance with a subscription period of one month, three months, six months, or one year. For more information, see Billing method.

Compliance certifications

WAF has passed various authoritative certifications. The certifications include ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR certification, China classified protection of cybersecurity-Level III, Service Organization Control (SOC) 1, 2, and 3, Cloud Computing Compliance Controls Catalog (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Providers Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS).