All Products
Search
Document Center

Web Application Firewall:Account security

Last Updated:Jun 03, 2026

Account security uses real-time risk scoring to block credential stuffing, brute-force attacks, and bot registration. It extracts identity credentials from HTTP request fields (Query, Body, Header, Cookie) to build unified user profiles. Without manual rule configuration, the feature automatically protects registration and logon scenarios.

Advantages

  • Intelligent scoring: Built-in rules calculate real-time risk scores from device, network, and account data to quantify threats and automate security decisions.

  • Bot detection:

    • Interaction anomaly detection: Detects millisecond-level input and high-frequency copy-paste typical of automated scripts.

    • Fingerprint forgery detection: Detects forged traffic where the User-Agent conflicts with actual environment parameters.

    • Resource abuse protection: Blocks flood requests from a single device or IP linked to many accounts.

  • Profile deviation detection:

    • Environment oscillation detection: Detects proxy pool attacks that rapidly switch IP addresses, User-Agents, or geographic locations.

    • Baseline deviation analysis: Flags anomalous logons by comparing current activity against the user's historical profile, such as unfamiliar devices, networks, or behavior patterns that diverge from group norms.

  • Automated bot registration prevention: Detects bot registrations, fake emails, and cloud network traits to block malicious account creation and protect platform user quality.

Apply for public preview

Account security is in public preview.

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.

  2. In the left-side navigation pane, select Protection Config > Account Security, and then click Request Public Preview.

  3. Complete and submit the application form. A staff member will follow up.

Enable account security

Prerequisites

Verify the following before you begin:

  • Your web business is connected to WAF as a protected object. If your business is not yet connected, see Connect to WAF.

  • (Recommended) Configure Bot management and integrate the SDK for your protected objects. The account security feature depends on the SDK module. Without the Bot Management SDK, detection capabilities may be reduced.

Step 1: Create an API asset

Create an API asset and configure identity credential extraction rules.

  1. Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance. In the left-side navigation pane, select Protection Config > Account Security. On the API Asset Management tab, click Add Asset.

  2. Configure basic API information:

    • API Name: Enter a descriptive name for the asset.

    • Domain Name and URL Path: Enter the domain and path for account registration or logon. For example, for https://example.com/login:

      • Domain Name: example.com

      • URL Path: /login

      Note

      To configure multiple interfaces on the same protected object, repeat the Add Asset step for each interface.

    • HTTP Request Method: Supported methods are POST, GET, and PUT.

  3. Set the API purpose. Supported scenarios: Registration and Logon. Registration supports single-step registration only.

    Registration

    Configure extraction locations for the Phone Number, Username, and Email fields. WAF extracts from query parameters, cookie names, body parameters, and headers.

    When you select Can Be Used for Logon, WAF uses the selected fields (email, phone, or username) as identity identifiers to link different logon credentials to the same user.

    Logon

    Configure the extraction location for the Account field. WAF extracts from query parameters, cookie names, body parameters, and headers.

  4. Configure success and failure conditions: In the Success Conditions and Failure Conditions sections, define rules to determine request outcomes based on HTTP Status Code and Response Body.

    Click Add Condition to add conditions. All conditions use AND logic.

  5. Associate with Protected Object: Select a protected object already connected to WAF.

Step 2: Configure a protection policy

Configure a protection policy for the API asset.

  1. In the left-side navigation pane, select Protection Config > Account Security. On the Policy Configuration tab, click Create Template.

  2. Specify a Template Name and Template Description.

  3. Configure Risk Level Policy Configuration:

    • In the Match Condition section, specify request characteristics to match. Up to five conditions are supported, evaluated with AND logic.

    • In the Risk Score Threshold section, define score ranges for each risk level and the corresponding Rule Action. Available Rule Action options:

      Parameter

      Description

      JavaScript Validation

      WAF returns JavaScript verification to the client. Standard browsers execute it automatically. On success, WAF allows all client requests for 30 minutes (default). On failure, requests are blocked.

      Block

      Blocks matching requests and returns a block page.

      Log

      Logs matching requests without blocking them. Use Log during testing to analyze WAF logs and verify no false positives before switching to another action.

      CAPTCHA

      WAF returns a slider verification page. On success, WAF allows all client requests for 30 minutes (default). On failure, requests are blocked.

      Strict CAPTCHA

      WAF returns a slider verification page. The client must pass verification for every matching request.

      Origin Custom Header

      WAF adds a custom header with match details (rule type, rule ID, account, risk score) to requests forwarded to the origin server for backend risk control.

      Note

      When Rule Action is Block, CAPTCHA, or Strict CAPTCHA, WAF returns the default response page. Use Custom Response to customize it.

  4. Set effective scope: In the Protected Assets section, select the API asset created in Step 1 as the policy target.

What to do next

Query matched requests in Protection Logs.

Manage assets and policies

Manage API assets

  • View assets: On the API Asset Management tab, view all created assets. Search by protected object, API asset, or API name.

  • Edit an asset: Find the asset and click Edit in the Actions column to modify the API purpose and request conditions.

  • Delete an asset: Find the asset and click Delete in the Actions column. The asset is no longer protected after deletion.

Manage protection policies

  • View policies: On the Policy Configuration tab, view all created policies. Search by asset, protection rule ID, or template name.

  • Edit a policy: Find the policy and click Edit in the Actions column. Use the Status column to enable or disable the policy.

  • Clone a policy: Find the policy and click Copy in the Actions column.

  • Delete a policy: Find the policy and click Delete in the Actions column. Associated assets are no longer protected after deletion.