Account security - Web Application Firewall - Alibaba Cloud Documentation Center

Account security uses intelligent algorithms to calculate risk scores in real time, identifying and blocking credential stuffing, brute-force attacks, and automated bot registration. It extracts identity credentials from the Query, Body, Header, and Cookie fields of HTTP requests to build unified user profiles. Without manual rule configuration, the feature automatically protects account registration and logon scenarios.

Advantages

Intelligent scoring: Built-in rules calculate risk scores in real time using device, network, and account data. The scores quantify request risk levels and support automated security decisions.
Bot detection:
- Interaction anomaly detection: Identifies millisecond-level input and high-frequency copy-paste actions typical of automated scripts.
- Fingerprint forgery detection: Detects forged traffic where the User-Agent conflicts with actual environment parameters.
- Resource abuse protection: Blocks flood requests from a single device or IP linked to a large number of accounts.
Profile deviation detection:
- Environment oscillation detection: Detects proxy pool attacks that rapidly switch IP addresses, User-Agents, or geographic locations.
- Baseline deviation analysis: Flags anomalous logons by comparing current activity against the user's historical profile, including unfamiliar devices, network environments, and behavior patterns that diverge from the group norm.
Automated bot registration prevention: Detects bot registrations, fake email addresses, and cloud network traits to block malicious account creation and protect platform user quality.

Apply for public preview

The ccount security feature is in public preview. Follow these steps to apply.

Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
In the left-side navigation pane, select Protection Config > Account Security, and then click Request Public Preview.
Complete and submit the application form. A staff member will follow up with you.

Enable account security protection

Prerequisites

Before you begin, ensure that you have:

A protected object (your web business is already connected to WAF). If your business is not yet connected, see Connect to WAF.
(Recommended) Bot Management configured for your protected objects. The account security feature depends on the Bot Management module. Without it, detection capabilities may be reduced.

Step 1: Create an API asset

Follow these steps to create an API asset and configure identity credential extraction rules.

coLog on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance. In the left-side navigation pane, select Protection Config > Account Security. On the API Asset Management tab, click Add Asset.
Configure basic API information:
- API Name: Enter a name that helps you identify the asset.
- Domain Name and URL Path: Enter the domain name and path that users visit during account registration or logon. For example, for the URL https://example.com/login, enter:
  - Domain Name: example.com
  - URL Path: /login
  Note
  To configure multiple interfaces on the same protected object, repeat the Add Asset step for each interface.
- HTTP Request Method: Supported methods are POST, GET, and PUT.
Set API purpose: Two scenarios are supported: Registration and Logon. For the Registration scenario, only single-step registration is supported.
Registration
Configure the extraction locations for the Phone Number, Username, and Email fields. WAF can extract information from query string parameters, cookie names, body parameters, and header fields.
When you select Can Be Used for Logon, WAF uses the selected fields (such as email address, phone number, or username) as identity identifiers. This allows the system to link different logon credentials to the same user. For example, logons via email, phone, and username are recognized as the same user rather than separate accounts.
Logon
Configure the extraction location for the user Account field. WAF can extract information from query string parameters, cookie names, body parameters, and header fields.
Configure request success and failure conditions: In the Success Conditions and Failure Conditions sections, define rules to determine whether a registration or logon request succeeded. Conditions can be based on HTTP Status Code and Response Body.
Click Add Condition to add multiple conditions. Conditions are evaluated with AND logic: all must be met for the request to be judged as successful or failed.
Associate with Protected Object: Select a protected object already connected to WAF.

Step 2: Configure a protection policy

After you create an API asset, configure a protection policy for it.

In the left-side navigation pane, select Protection Config > Account Security. On the Policy Configuration tab, click Create Template.
Specify a Template Name and Template Description.

Configure Risk Level Policy Configuration:

In the Match Condition section, specify the request characteristics that the policy should match. You can add up to five conditions, evaluated with AND logic.

In the Risk Score Threshold section, define score ranges for each risk level and the corresponding Rule Action. The following table describes each Rule Action.

Parameter	Description
JavaScript Validation	WAF returns a JavaScript verification code to the client. A standard browser executes the code automatically. If successful, WAF allows all requests from the client for a period of time (default: 30 minutes). Otherwise, the requests are blocked.
Block	Blocks matching requests and returns a block response page to the client.
Log	Logs matching requests without blocking them. During rule testing, use Log mode to analyze WAF logs and confirm no false positives before switching to another action.
CAPTCHA	WAF returns a slider verification page. If the client passes verification, WAF allows all requests from that client for a period of time (default: 30 minutes). Otherwise, the requests are blocked.
Strict CAPTCHA	WAF returns a slider verification page. The request is allowed only if the client passes verification. The client must pass verification for every matching request.
Origin Custom Header	WAF adds a custom header containing match details (rule type, rule ID, account, risk score) to the request forwarded to the origin server. The origin server can use this information for backend risk control processing.

Note

When the Rule Action is set to Block, CAPTCHA, or Strict CAPTCHA, WAF returns the default system response page. You can use the Custom Response feature to configure a personalized response page.

Set effective scope: In the Protected Assets section, select the API asset created in Step 1 as the policy target.

What to do next

After you configure the protection policy, query matched requests in Protection Logs.

Manage assets and policies

Manage API assets

View assets: On the API Asset Management tab, view all created assets. Search by protected object, API asset, or API name.
Edit an asset: Find the target asset and click Edit in the Actions column to modify the API purpose and request conditions.
Delete an asset: Find the target asset and click Delete in the Actions column. The asset is no longer protected after deletion.

Manage protection policies

View policies: On the Policy Configuration tab, view all created policies. Search by asset, protection rule ID, or template name.
Edit a policy: Find the target policy and click Edit in the Actions column to modify the configuration. Use the control in the Status column to enable or disable the policy.
Clone a policy: Find the target policy and click Copy in the Actions column to create a copy.
Delete a policy: Find the target policy and click Delete in the Actions column. The associated assets are no longer protected after deletion.