The sensitive information leak prevention function allows the Web Application Firewall (WAF) to comply with China’s Cyber Security Law that stipulates that “network operators should take technical measures and other necessary measures to ensure the security of personal information they collect and prevent information leaks, damages, and loss. In the event of, or possible occurrence of, any personal information leaks, damages, or loss, the network operators involved shall immediately take remedial measures, notify users in a timely manner, and report the case to competent authorities in accordance with the provisions.”
Note: To use the sensitive information leak prevention function, you must upgrade WAF to Enterprise Edition or above.
Common information leak situations faced by websites include:
- Unauthorized access to a URL, such as unauthorized access to the website management background.
- Excessive permission access vulnerabilities, such as horizontal excessive permission access vulnerabilities and vertical excessive permission access vulnerabilities.
- Sensitive information crawled by malicious crawlers on webpages.
The sensitive information leak prevention function provides desensitization and warning measures for sensitive information leaks on websites (especially mobile phone numbers, ID card numbers, and credit card information) and the leakage of sensitive keywords. It also allows you to block specified HTTP status codes.
It provides the following sensitive information leak prevention functions for common website sensitive information leak scenarios:
- Detects and identifies private and sensitive data generated on the webpage and offers protection measures, such as early warnings and the shielding of sensitive information, to avoid website operation data leaks. This sensitive and private data includes, but is not limited to, ID card numbers, mobile phone numbers, and bank card numbers.
- Supports one-click blocking of sensitive server information that may expose the web application software, operating systems, and versions used by the website to avoid leaks of sensitive server information.
- Using a built-in illegal and sensitive keyword library, the function provides warnings, illegal keyword shielding, and other protective measures to deal with illegal and sensitive keywords that appear on webpages.
The sensitive information leak prevention function supports Content-Types including
application/* and covers web terminals, app terminals, and API interfaces.
The sensitive information leak prevention function detects if response pages have ID card numbers, mobile phone numbers, bank card numbers, and other types of sensitive information. If it discovers a sensitive information match, it sends a warning or filters the sensitive information based on the action configured for the matching rule.
When sensitive information is filtered, the sensitive portion of the information is replaced by asterisks (*) to protect it.
Log on to the Alibaba Cloud Security WAF console.
Go to Management > Website Configuration and select the region.
Select a website domain name that is already protected and click Policies.
Enable the Data Leak Prevention function and click Settings.
Click Add Rule to add a sensitive information protection rule.
Note: In the Add Rule dialog box, you can click and add URL matching conditions to detect specific URLs matching the conditions.
Sensitive information masking
For webpages that may display mobile phone numbers, ID card numbers, and other sensitive information, configure the relevant rules to mask this information or provide warnings. For example, you can set the following protection rule to prevent mobile phone numbers and ID card numbers by data masking.
After setting this protection rule, mobile phone and ID card numbers displayed on all webpages in this website domain name are automatically desensitized.
Warning: When a webpage has business contact phone numbers, support hotline numbers, and other mobile phone numbers that are to be provided to the public, these may also be filtered out by the configured mobile phone number sensitive information filtering rule.
Status code blocking
You can set rules to block or warn of specific HTTP request status codes to avoid leaking sensitive server information. For example, you can set the following protection rule to block HTTP 404 status codes.
After setting this protection rule, when user requests a page that does not exist under this website domain name, the specified blocked page is returned.
Filter sensitive information of specified URLs
For specified webpage URLs that may display mobile phone numbers, ID card numbers, and other sensitive information, configure the relevant rules to filter this information or provide warnings. For example, you can set the following protection rule to filter ID card numbers on the webpage admin.php.
After setting this protection rule, ID card numbers are only be desensitized on the admin.php webpage.
After enabling the Data Leak Prevention function, you can go to Alibaba Cloud Security WAF console > Reports > Reports, and open the Web Application Attack report. This report allows you to query a log of access requests filtered or blocked by data leak prevention rules.