Web Application Firewall

An easy to use service that provides real-time monitoring of servers to ensure high availability

Web Application Firewall (WAF) protects your website servers against intrusions. Our service detects and blocks malicious traffic directed to your websites and applications. WAF secures your core business data and prevents server malfunctions caused by malicious activities and attacks.


Fast Response and Stability
Connected to Chinese ISPs through multiple BGP connections allowing for high availability. WAF supports optimal path selection and allows your servers to respond within milliseconds.
Professional Protection
Operated by professional security groups, WAF fixes zero-day vulnerabilities within 24 hours. WAF also supports multi-dimensional protection to efficiently prevent Challenge Collapsar (CC) attacks.
Business Risk Prevention
Supports multiple business risk prevention features, including anti-crawler, anti-rush, and anti-sabotage protection.
Comprehensive Reports
Offers detailed reports to ensure a quick, comprehensive understanding of the security status of the website.


  • Web Application Protection

    Provides anti-attack solutions for Web applications. Virtually patches zero-day vulnerabilities and offers website stealth service.

    Common OWASP Attack Prevention

    Provides multiple protection policies to prevent SQL injection attacks, cross site scripting attacks, and web-shell uploading. Our service supports backdoor quarantine, and defends against command injection, illegal HTTP requests, common web server vulnerability exploiting, unauthorized access to core data, Path Traversal attacks, and vulnerability scanning.

    Zero-Day Vulnerability Protection

    WAF supports automatic protection to secure your servers. Our professional protection team provides virtual patching service to fix high-risk zero-day vulnerabilities within 24 hours.

    Website Stealth

    Uses DNS to redirect traffic to prevent server IP addresses from being exposed. Attack traffic cannot pass around WAF to reach your servers.

  • CC Attack Prevention

    Filters out bot traffic to guarantee the server performance.

    Precise Protection with Low False Positive Rate

    WAF does not directly blocks IP addresses that send requests too frequently. Instead, WAF recognizes suspicious activities based on URL requests, response code, and other signatures.

    100% Malicious Request Recognition and Blocking

    Recognizes attack signatures in common fields of request headers, including the IP, URL, User-Agent, and Referer fields.

    User-defined Rules for Business Protection

    The Enterprise Edition allows you to set rules to define the frequency of requests sent to a URL.

    Powerful Threat Intelligence

    Supports customized attack protection based on large amounts of IP address blacklists and crawler databases.

  • Business Security

    Supports risk control, anti-crawler, and anti-rush to protect your business.

    Quick Configuration

    Supports quick configuration to automatically protect your servers, without the need to modify the source code of your servers or call the APIs.

    Satisfying User Experience

    No verification is required for requests sent from user web browsers or applications. “Slide to verify” verification is required for suspicious requests that may be sent from bots. Precise Interception. Powerful device fingerprinting and bot recognition capabilities help to maintain normal business operations.

    Precise Interception

    Supports device fingerprints and bot recognition to ensure the operations of your business.

  • HTTPS-based Optimization

    Quick origin fetching over HTTP or HTTPS to reduce the load on the origin site.

    Quick HTTP-HTTPS Migration

    To migrate your website from HTTP to HTTPS, you only need to upload the certificates private key. You do not need to change the configurations of your server.

    Origin Fetching over HTTP.

    Supports origin fetching-based HTTPS-HTTP redirection to reduce the load on your origin site and improve business performance.

  • HTTP and HTTPS Access Control

    Supports multi-dimensional and precise HTTP and HTTPS traffic throttling.

    IP-based Access Control

    Supports blocking and whitelisting of specified IPs, network segments, and malicious IPs.

    URL-based Access Control

    Supports blacklisting and whitelisting of specified URLs.

    Variant CC Attack Prevention

    Prevents variant CC attacks, such as WordPress pingbacks.

    Crawler Prevention

    Blocks malicious requests, including python and libcurl requests.

    Backend Protection

    Only allows specified IP addresses to access certain URLs. For example, only administrators can log on to the back end.


    Secures website resources against malicious links from other web pages and malicious requests bound for non-existent links.

    Malicious Request Protection

    Intercepts malicious requests bound for non-existent links, and blocks mass attacks targeting at URLs that do not exist.


    The Enterprise Edition allows you to block IP addresses in specified geographical locations.

  • Log Management

    All logs support quick query.

    Smart Log Query

    All logs support smart query. This service allows you to search unusual requests and attack interception records with ease. You can obtain the status of your business running on your website.

Customer Scenarios

  • Offers anti-crawler and anti-rush protection.
  • CC Attack Protection
  • Data Leakage Prevention
  • Prevention against Website Defacement, Trojans, and Backdoors.
  • Virtual Patches for Zero-Day Vulnerabilities
Offers anti-crawler and anti-rush protection.

Offers anti-crawler and anti-rush protection.

Blocks malicious Bot abuse.

Attacks may cause a sharp increase in text message registration fees. Attackers maliciously crawl the business data and log on to the interface to obtain user data.


  • Protects against Malicious Crawlers

    Detects common crawlers and helps you to protect core text and product prices.

  • Tackles Fake Messaging-Interface Traffic

    Handles message flooding and curbs rising data charges.

  • Defense against Malicious Bot Abuse

    Malicious bot abuse disables website platform services, leading to reduced user satisfaction.

CC Attack Protection

CC Attack Protection

Protects your website resources against large amounts of CC attacks.

Competitors may attack your website. Attackers may try to extort money from you by initiating a large number of malicious CC requests. These requests occupy or consume critical server resources, including CPU, memory, or bandwidth, creating a server performance bottleneck. This may cause slow website response or website malfunction.


  • Protection against Zombie-based CC Attacks

    Attackers use CC attack software to control large numbers of zombies and launch attacks.

  • Protection against Agent CC Attacks

    Attackers use proxy servers to forge website requests.

Related Products and Services

Data Leakage Prevention

Data Leakage Prevention

Prevents core data leakage.

Attackers scan websites to exploit web page vulnerabilities. By manually executing malicious SQL statements, attackers can penetrate and log on to your databases to obtain core website data.


  • Protection against SQL Injection Attacks.

    SQL injection uses malicious code for backend database manipulation to access core data and private data of the user.

  • Prevention against Unauthorized Scanning.

    Attackers can exploit vulnerabilities using security scanning tools or after researching the website business interface.

Related Products and Services

Prevention against Website Defacement, Trojans, and Backdoors.

Prevention against Website Defacement, Trojans, and Backdoors

Protects your website from website defacement, trojans, and backdoors.

Attackers may penetrate and inject your website to obtain admin privileges and upload trojans or backdoors. They may leave hidden links on web pages or tamper with web page content. This damages the company's reputation and may cause economic losses.


  • Prevention against Trojan Injection.

    Attackers may scan the vulnerabilities and upload trojans.

  • Protection against Page Defacement.

    Protects the pages from malicious injection of illicit content.

Virtual Patches for Zero-Day Vulnerabilities

Virtual Patches for Zero-Day Vulnerabilities

Virtually patches vulnerabilities to ensure web security.

After a web security vulnerability is exposed on a public platform, you may not be able to fix it timely. Therefore, you need a virtual patch to immediately defend against vulnerability attacks.


  • Easier Code Transformation

    No code change or server patch. All rules are updated regularly in WAF Cloud to protect against new threats.

  • Reduced High-Risk Period

    Reduces high-risk period from one week to one day.

Certification course: Protect Your Web Application on Alibaba Cloud

Understand application security and common network attacks. You will master the core skills of application security on the cloud, including how to access Alibaba Cloud WAF, avoid tampering website, prevent CC attacks, and how to conduct business risk management.

0.01 USD

Original Price: USD 10.00

View Details

Upgraded Support For You

1 on 1 Presale Consultation, 24/7 Technical Support, Faster Response, and More Free Tickets.

1 on 1 Presale Consultation

Consulting by experienced cloud experts.Learn More

24/7 Technical Support

Extended service time from 10 hours 5 days a week to 24/7. Learn More

6 Free Tickets per Quarter

The number of free tickets doubled from 3 to 6 per quarter. Learn More

Faster Response

Shorten after-sale response time from 36 hours to 18 hours. Learn More