Integrate a Node.js application with application protection

更新时间:
复制 MD 格式

Integrate a RASP (Runtime Application Self-Protection) probe into your Node.js application to monitor and defend against malicious behavior and security threats in real time.

Prerequisites

  • The Security Center agent on the server where the application runs must be in the online state.

    To check the agent status, go to the Assets > Host page. On the Server tab, check the icon in the Agent column. The image..png icon indicates that the agent is online. If the agent is offline, troubleshoot the issue. For more information, see Troubleshoot offline agents.

  • If you are using application protection as a RAM user, make sure that the RAM user is granted the AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies. For more information about how to grant permissions, see Manage RAM user permissions.

Create an application group

  1. Log on to the Security Center console.

  2. In the navigation pane on the left, choose Protection Configuration > Application Protection. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Application Configurations tab, click Create Application Group.

  4. On the wizard page that appears, enter a name for the Application Group Name, select Node.js for Application Language, enter a description for Remarks, and then click Next.

    Set the application group name based on the web business you want to protect. Application group names must be unique. The application language cannot be changed after selection.

    After you complete this step, an application group is created.

Manually integrate the application

  1. On the Application Configurations tab, find the Node.js application you just created. In the Actions column, click Access Management.

  2. Choose Manual Access > Access Guide, and then select one of the two Installation Method options: Quick Install or Standard Installation.

  3. After the installation is complete, follow the verification steps under Verify Installation to verify that the probe is running correctly.

Configure a protection policy

On the Application Configurations tab, find the Node.js application you just created. In the Actions column, click Protection Policy. In the Protection Policy dialog box, configure the following parameters.

Important

The default protection mode is Monitor. We recommend that you use Monitor mode for 2 to 5 days first. If no false positives occur during this period, switch to Block mode. If false positives occur, create a whitelist rule to exclude the incorrectly blocked detection type. For more information, see Add an alert to a whitelist.

Category

Parameter

Description

Protection Policy

Application Group Name

The name of the application group. The name cannot be modified here.

Protection Status

Enables or disables protection for the application group. Enabled by default. When disabled, application protection neither detects nor blocks attacks.

Protection Mode

The protection mode for the application group. Options:

  • Monitor: Monitors attack behavior without blocking it. When an attack is detected, an alert is generated with the handling method set to Monitor.

  • Block: Monitors and blocks attack behavior, and monitors high-risk operations on application instances. When an attack is blocked, an alert is generated with the handling method set to Block.

Protection Policy Group

The default protection policy group is Default Runtime Policy Group. You can select a different policy group from the drop-down list. For more information about policy groups, see Manage protection policies.

Threat Type

The detection types supported by the selected protection policy group.

Common Settings

Detection Timeout Period

The maximum time for attack detection, in milliseconds. Valid values: 1 to 60,000. Default value: 50. If detection exceeds this time limit, the original business logic continues to execute even if detection is not yet complete. We recommend that you use the default value.

Method to Obtain Source IP Address

  • Select Default. The system retrieves the source IP address from HTTP headers in the following order: X-Real-IP, True-Client-IP, and X-Forwarded-For. If X-Real-IP is unavailable, True-Client-IP is used. If neither is available, X-Forwarded-For is used.

  • Select Enter Custom Header. The system prioritizes custom header values to retrieve the source IP address. When multiple custom headers are configured, the system tries them in order. If none match, the default rule takes effect.

    Note

    You can set a maximum of five custom header values.

Runtime Circuit Breaking Settings

When enabled, RASP real-time protection automatically stops if server or process resource utilization exceeds either the CPU or memory circuit breaker threshold. Protection resumes automatically when resource utilization drops below all circuit breaker thresholds.

This ensures business stability during traffic peaks. Disabled by default. Enable it if your application is a compute-intensive workload sensitive to performance overhead. Configuration parameters:

  • CPU Utilization in Server or Container Exceeds: Valid values: 10% to 99%. Recommended value: 95%.

  • Memory Usage in Server or Container Exceeds: Valid values: 5% to 99%. Recommended value: 98%. Or Remaining Memory Is Less Than: Minimum value: 10 MB. Recommended value: 100 MB.

Important
  • The circuit breaker feature requires RASP probe version 0.8.8 or later. For earlier versions, restart the application process to upgrade to the latest version automatically.

  • Instances in the Protection After Circuit Breaking state still consume authorization quota.

Verify the integration

If the PID of the application process appears in the authorized instances list of the application group, the integration is successful. To view integrated applications:

  1. On the Application Protection page, go to the Application Configurations tab. Click the number in the Authorized Process column for the target application group.

  2. In the Process Details panel, view the integrated applications.

    If the PID of the application process on the target server appears in the list, the integration is successful.

    image.png

Limitations

  • Node.js version must be 18.0.0 or later.

What's next

  1. Adjust the protection mode, protection policy group, and other settings for the application group based on your business needs. If false positives occur, create protection whitelist rules to prevent similar alerts. For more information, see Manage protection policies.

  2. Handle attack alerts.