This topic covers the features and documentation updates for Web Application Firewall (WAF).
For more information about Web Application Firewall, see product updates.
2023
Release date | Feature | Description | References |
2023-07-14 | DNS status check | WAF checks the DNS status of protected domain names to identify abnormal DNS resolution and prevent service interruptions. | |
2023-06-21 | Domain ownership verification | When you add a domain name to WAF for the first time, you must verify ownership of its root domain. Once verified, you can add any subdomain of that root domain without additional verification. |
2022
Release date | Feature | Description | References |
2022-09-23 | Obtain the source port from a custom header | In the WAF access configuration, you can enable "Traffic Mark" and select "Source Port". This allows you to specify the custom header field that contains the source port. WAF records this header and forwards it to the origin server. | |
2022-08-24 | Customizable back-to-origin timeouts | In WAF access settings, you can customize the timeouts for new, read, and write connections to meet your business requirements. | |
2022-07-25 | WAF 2.0 releases a new API security console | The new console improves user experience by clearly displaying the three core capabilities: asset discovery, risk identification, and attack monitoring. | |
2022-04-18 | WAF 2.0 introduces dynamic tokens for the anti-crawler feature | This feature adds dynamic token verification to the scenario-based anti-crawler configuration. This feature improves the security and compatibility of human-machine verification. It works by signing web requests. When a client sends a request, the WAF-provided WebSDK signs the request and includes the signature. If the signature is valid, the request is forwarded to the origin server. If the signature verification fails, WAF returns a code snippet that prompts the client to execute the dynamic token process and resubmit the signed request. | |
2022-01-19 | The protection rules engine now includes intelligent rule hosting | You can configure the protection rules engine to automatically defend your website against common web attacks. These attacks include SQL injection, cross-site scripting (XSS), webshell upload, command injection, backdoor isolation, invalid file requests, path traversal, and common application vulnerabilities. |
2021
Release date | Feature | Description | References |
September 18, 2021 | Support for using custom headers to record client IP addresses | When you add a website to WAF, you can enable the traffic marking feature. This feature lets WAF insert the client IP into a custom header field that you specify. Your origin server can then retrieve the client IP from this header in back-to-origin requests. This feature is useful for origin servers that use a custom header to record client IP addresses. This feature is supported in both CNAME record mode and transparent proxy mode. | |
August 13, 2021 | Log Service for WAF upgrade | The Log Service for WAF is upgraded with the following enhancements:
| |
July 30, 2021 | Support for configuring origin SNI | When you add a website in CNAME record mode, you can now enable the Enable Origin SNI setting. If your website uses HTTPS and your origin server hosts multiple virtual hosts, you can enable this setting. WAF then adds a Server Name Indication (SNI) field to back-to-origin requests to specify the intended host. | |
June 22, 2021 | Support for server port as a match condition in custom protection policies | For WAF instances of the Business edition and higher, you can use Server-Port as a match condition when you create a custom protection policy. This lets you define access control or HTTP flood protection policies based on a request's destination port. | |
June 19, 2021 | Transparent proxy mode now supports protection for services on Application Load Balancer (ALB) instances | You can now enable WAF protection for services on an Application Load Balancer (ALB) instance with a single click from the listener configuration. This feature uses the transparent proxy mode. | |
May 11, 2021 | Hybrid Cloud WAF now supports console-based cluster deployment and node management | The Hybrid Cloud WAF solution now includes the following new features:
| |
May 8, 2021 | Support for obtaining client IPs from custom headers | The Client IP Acquisition Method parameter is now available in CNAME record mode. If you have other Layer 7 proxies, such as Anti-DDoS Pro or Alibaba Cloud CDN, deployed in front of WAF, you can configure WAF to retrieve the client IP from a specific header field. You can specify multiple header fields, and WAF attempts to obtain the client IP from them in sequence. | |
April 1, 2021 | Support for IPv6 origin server IP addresses | When you add a website in CNAME record mode, the Server Address parameter now supports IPv6 addresses for the origin server. This feature is ideal for industries, such as finance and government, that require end-to-end IPv6 support. | |
March 23, 2021 | Threat event analysis now available on the Overview page | The WAF Overview page now includes a threat event analysis module. This module analyzes large volumes of attack alerts to generate threat event records, providing you with a clearer and more intuitive understanding of threat sources and mitigation strategies. Use this feature to identify the most critical threats from a large number of alerts. | |
March 18, 2021 | False positive suppression now available in web security reports | Security reports for web attacks now support false positive suppression. This feature automatically generates a whitelist rule for a specific rule ID. You can also manually add a whitelist rule based on a specific rule ID or rule type in the web intrusion prevention settings to simplify handling false positives. This feature is ideal for enterprise services that are sensitive to false positives and require fine-grained control without compromising protection. | |
January 29, 2021 | WAF now offers scenario-based configuration for anti-crawler rules | WAF now provides scenario-based configuration for the anti-crawler feature. You can customize anti-crawler rules based on your business scenarios to provide more targeted protection against malicious crawlers. | |
January 28, 2021 | Transparent proxy mode now supports Layer 4 SLB and ECS | The transparent proxy mode now supports protection for web traffic on Layer 4 SLB and ECS instances. | |
January 15, 2021 | Support for custom TLS versions and cipher suites | WAF now allows you to customize TLS protocol versions and cipher suites for your protected domain names. This provides flexibility to meet security compliance and compatibility requirements for HTTPS communication in different scenarios. | |
January 6, 2021 | Pay-as-you-go 2.0 is now available | The WAF pay-as-you-go billing model has been upgraded to version 2.0. This plan calculates your fees based on the number of enabled features and your usage of each feature. |
2020
Release date | Feature | Description | References |
2020-10-21 | Enhancements to security report | The security report feature is updated. You can now filter attack records by rule ID. | |
2020-08-17 | Enhancements to asset discovery | WAF now provides asset security scores and web asset fingerprinting. This helps you identify high-risk zero-day vulnerabilities in your assets. Note The asset discovery module supports domain names from both Alibaba Cloud and third parties. The domain names from third-parties refer to those of servers that are provided by third parties or deployed in on-premises data centers. | |
2020-07-09 | Transparent access mode released | If your origin server is an ECS instance with a public IP, you can now add your service to Web Application Firewall (WAF) by using the transparent access mode. In this mode, traffic from the ECS instance is automatically redirected to WAF for protection, without modifying DNS records, configuring origin protection, or changing the IP address of the origin server. | |
2020-06-04 | Enhancements for custom protection rule groups and the Overview page |
| |
2020-05-18 | Support for Terraform | To meet the O&M requirements of large enterprises, WAF now fully supports Terraform. You can use code to manage basic WAF operations, such as domain name and policy management. Note This feature allows you to automate tasks that would otherwise require manual operations in the console. This improves efficiency and reduces errors. For more information, see the Terraform documentation. | None |
2020-04-10 | User experience enhancements | You can now drill down from the Overview page to security reports, and from security reports to Log Service. This creates a seamless workflow for data operations.
| |
2020-04-02 | Bot management released | WAF now offers bot management and app protection as value-added services. These services provide intelligent protection against automated attacks and bot traffic, and ensure trusted communication for native apps to prevent abuse from bot scripts. Note The bot management and app protection modules are available only for the new protection engine that was released in January 2020. If you are using an older protection engine, we recommend that you upgrade it as soon as possible. | |
2020-03-04 | Intelligent load balancing released | Intelligent load balancing provides automatic disaster recovery across multiple nodes and routes and delivers low-latency access through optimal routing. | |
2020-02-14 | Log Service enhancements | You can now quickly enable full logging for custom domains. | None |
2020-02-10 | Event alerting upgraded | The WAF alert notification feature now focuses on baseline data and event generation. It supports alerts for security events and service monitoring to facilitate daily O&M. | |
2020-01-15 | Application protection upgraded | The new-generation protection engine for WAF provides fine-grained throttling for robust protection against malicious traffic. It also supports account security protection to defend against common threats such as HTTP flood attacks, dictionary attacks, and weak password exploits. Note These protection capabilities are available to all users. However, the configuration options in the console are available only to new customers. Existing customers can upgrade their instances to use these features starting in March 2020. |
2019
Release date | Feature | Description | References |
December 20, 2019 | Enhancements for the exclusive edition | Enhancements to the WAF exclusive edition let you configure a custom timeout period for domain names to improve the user experience. | |
November 28, 2019 | Account security detection released | The WAF account security module helps you identify security risks on login-related endpoints. These risks include dictionary attack, brute-force attack, spam registrations, weak password sniffing, and SMS verification code flooding. | |
October 25, 2019 | Virtualized exclusive edition released | The WAF exclusive edition allows you to customize protection settings, including protection ports, TLS versions, cipher suites, and the response page for blocked requests, to meet specific web security requirements. | |
October 22, 2019 | URL profiling for protected websites released | WAF can now automatically identify business URL profiles and traffic volumes based on historical data. This allows you to create and implement highly customized protection policies. | None |
October 16, 2019 | Overview page displays scan protection data | The WAF Overview page now shows data from the scan protection module. This includes the total number of blocked requests, a list of blocked scan attack events, attack details, and mitigation suggestions from security experts. | |
September 24, 2019 | One-click protection available in asset management | The WAF asset management page now displays the protection status of your assets and lets you add new assets to WAF for protection with a single click. | |
August 22, 2019 | Positive security model released | WAF introduces a positive security model that uses intelligent, big data-driven learning algorithms. It continuously analyzes your historical traffic to build and iterate on automated, customized protection policies. | |
July 30, 2019 | Cloud website asset management released | WAF now provides website asset management that discovers your cloud website assets and offers one-click onboarding to build a comprehensive and secure web application defense system. | |
July 18, 2019 | Web attack details added to security report | The WAF security report now includes a web attack details page. This page details why WAF blocked specific attacks, improving the efficiency and effectiveness of your security operations. | |
June 27, 2019 | Support for HTTP/2 application protection | WAF now protects application traffic using the HTTP/2 protocol, expanding protocol coverage for more comprehensive application protection. | |
June 13, 2019 | Support for custom web decoding methods | WAF now lets you configure custom web decoding methods in the protection configuration settings. | |
May 30, 2019 | ACL rule enhancement | You can now add multiple IP addresses or a CIDR block as a match condition in an access control list (ACL) rule. | |
May 30, 2019 | Overview page enhanced | The enhanced WAF Overview page aggregates security events from large volumes of log data and provides expert mitigation advice. It also displays attack statistics by type and shows the top attacked domains to help you improve security operations. | |
April 30, 2019 | IPv6 application protection released | WAF now supports one-click onboarding for services hosted on IPv6 origin servers without modifying your origin servers. This feature helps your IPv6 services meet compliance requirements. | |
March 19, 2019 | Threat intelligence released | WAF now provides a threat intelligence library with web scan fingerprints. You can customize the block frequency and duration for web scans. WAF also automatically blocks requests that match common scan signatures, such as path traversal. | |
January 3, 2019 | Custom region blacklist | The WAF region blacklist feature now lets you block requests from specific countries and regions worldwide. |
2018
Release date | Feature | Description | References |
December 20, 2018 | API for website tamper-proofing released | WAF now provides an API for the website tamper-proofing feature. Use the API to perform common tasks, such as updating the cache and enabling website tamper-proofing protection. | None |
December 13, 2018 | Custom protection rule groups released | WAF now supports custom protection rule groups. You can create service-specific rules to prevent false positives from default rules and ensure service security. | |
November 16, 2018 | Support for one-year log retention | WAF now integrates with Log Service to collect business logs from your protected websites in real time, providing log search and analysis. | |
October 24, 2018 | Support for traffic marking | WAF now supports traffic marking, which lets you insert a specific header value into requests to identify traffic forwarded by WAF. | |
October 1, 2018 | Support for security event alerting | WAF can now notify you of security events and system alerts via SMS or email. You can customize the metrics to monitor to promptly detect service anomalies. | |
July 27, 2018 | API released | WAF now provides an API for common tasks typically performed in the console. This allows you to automate tasks and perform batch operations. | |
May 29, 2018 | Dashboard trial launched | WAF has launched a dashboard trial, which provides a comprehensive overview of your website's activity. | |
April 27, 2018 | Precise access control enhanced | WAF now supports more HTTP header fields for configuring ACL rules. This enables more granular filtering of access requests. | |
March 16, 2018 | Dashboard released in public beta | WAF now offers a dashboard that provides key data monitoring and visualization for security and operations personnel. | |
March 15, 2018 | Support for instance termination | You can now terminate a WAF instance from the console. | |
January 11, 2018 | Yidun mobile number risk control service launched | WAF now includes the Yidun mobile number risk scoring service. This service helps prevent issues such as bot registrations, malicious order placing, and ticket scalping. | None |
2017
Release date | Feature | Description |
December 28, 2017 | Support for more non-standard ports | WAF now protects more services that use non-standard ports. |
November 24, 2017 | Support for multiple load balancing algorithms | You can now select from multiple load balancing algorithms to suit your specific needs. |
October 30, 2017 | Application security solutions | WAF introduces application security solutions to protect mobile apps from threats such as bot abuse and web scraping. |
October 26, 2017 | Support for WebSocket | WAF now protects WebSocket services. |
August 31, 2017 | Support for error code monitoring | WAF can now monitor error codes from origin servers. |
August 31, 2017 | Support for service bandwidth queries | You can now query inbound and outbound service bandwidth. |
August 31, 2017 | Support for QPS queries | You can now query QPS at both the instance and domain name levels. |
August 16, 2017 | Support for viewing blackhole event details | You can now view blackhole event details, including the breached attack threshold and other event-specific information. |
July 27, 2017 | Exclusive IP is now available | You can purchase exclusive IP resources to isolate the IP addresses for your domain names. |
July 25, 2017 | Precise access control enhancement | You can now create precise access control rules that bypass risk control and region blocking policies. |
July 25, 2017 | CAPTCHA algorithm optimization | The optimized CAPTCHA algorithm for custom HTTP flood protection rules improves the block rate for HTTP flood attacks. |
July 25, 2017 | Support for more logical operators in rules | Precise access control rules now support additional logical conditions, including 'Does not exist' and 'Value length range'. |
July 25, 2017 | Support for more HTTP fields | You can now configure precise access control rules based on a wider range of HTTP fields. |
June 7, 2017 | Support for using a domain name as the origin address | In your website configuration, you can now use a domain name as the origin address. |
May 25, 2017 | Data leakage prevention is now available | WAF now offers data leakage prevention to help you comply with security regulations and protect sensitive data. |
April 12, 2017 | Support for one-click HTTPS | You can now enable HTTPS for your website with a single click in the WAF console, without needing to change your server configuration. |
April 12, 2017 | Support for non-standard ports across multiple editions | Multiple editions of WAF now protect services that use non-standard ports. |
March 28, 2017 | Threat intelligence is now available | WAF introduces a threat intelligence feature powered by big data. It provides security score assessments, high-risk warnings, and details on real-time attacks. |
March 8, 2017 | Simplified domain onboarding | The simplified domain onboarding process lets you add DNS records with a single click. |
February 9, 2017 | Website tamper-proofing is now available | WAF introduces a website tamper-proofing feature to prevent malicious modification of your web pages. |
January 5, 2017 | Support for virtual hosts | You can now add websites hosted on HiChina virtual hosts to WAF. |
2016
Release date | Feature | Description |
2016-12-21 | WAF V3.1 | WAF V3.1 enhances the engine's core protection capabilities. This version lets you block IP addresses by region and configure custom rules to mitigate HTTP flood attacks. |
2016-12-01 | Intelligent semantic analysis engine | The WAF protection engine now incorporates an intelligent semantic analysis engine. Compared to traditional regex-based rules, this new engine significantly reduces both false positive and false negative rates. |