Function Compute functions exposed via HTTP triggers or API Gateway can be protected by two complementary security services: Web Application Firewall (WAF) and the API Gateway IP address-based access control plug-in. The two options differ in protection depth — choose based on the threats you need to address.
Choosing a protection approach
| Approach | Protection scope | Best for |
|---|---|---|
| WAF | Full web application threat detection | Defending against web attacks, application vulnerabilities, web page tampering, data leakage, abnormal crawler behavior, and API security threats |
| API Gateway IP access control plug-in | IP-level filtering only | Allowing or blocking specific IP addresses without requiring full threat detection |
WAF is the stronger option. It absorbs traffic spikes caused by attacks and provides one-stop protection for web applications — including websites, HTML5 pages, and mini programs. Use the API Gateway plug-in when lightweight IP filtering is sufficient.
Enable WAF for Function Compute
WAF protection applies at the ingress layer, upstream of your functions. To enable it, follow the steps in Enable WAF protection.
After enabling WAF, configure protection rules to match the threats you need to address:
| Rule type | What it protects against |
|---|---|
| Web attack rules | SQL injection, cross-site scripting (XSS), and other common exploits |
| Application vulnerability detection | Known CVEs and application vulnerabilities |
| Web page anti-tamper | Unauthorized modification of page content |
| Data leakage prevention | Sensitive data exfiltration in responses |
| Bot management | Abnormal crawler behavior, bad bots, and search engine anomalies |
| API security | Malformed or abusive API requests |
For rule configuration details, see Protection rules.
Enable IP address-based access control via API Gateway
If your functions are already exposed through API Gateway and you only need IP-level filtering, use the IP address-based access control plug-in. See IP address-based access control plug-in for configuration steps.