Overview

更新时间:
复制 MD 格式

Web Application Firewall (WAF) inspects incoming HTTP and HTTPS traffic and applies protection rules to block malicious requests before they reach your origin servers. This page lists all available protection features, their default state, and links to configuration guides.

Protection features

Features marked On by default are active as soon as you add a domain name. All others must be enabled manually.

Web Security
Feature What it does Default state
Protection Rules Engine Blocks common web attacks based on built-in rules, including SQL injection, cross-site scripting (XSS), webshells, command injection, backdoor isolation, invalid file requests, path traversal, and exploitation of common vulnerabilities. On by default
Protection Rule Group Lets you combine protection rules into a Protection Rules Engine and apply it to specific websites. Custom rule groups are available for the protection rules engine only. Must be enabled
Website Tamper-proofing Locks specific web pages so that WAF serves a cached copy when those pages are requested, preventing unauthorized modifications. Must be enabled
Data Leakage Prevention Scans server responses and masks sensitive data—such as ID card numbers, bank card numbers, phone numbers, and sensitive words—before returning masked information or default error pages to visitors. Must be enabled
Positive Security Model Uses machine learning to analyze normal traffic patterns for your website and automatically generates tailored security policies based on that baseline. Must be enabled
Bot Management
Feature What it does Default state
Authorized Crawler Maintains a whitelist of trusted search engine crawlers—Google, Bing, Baidu, Sogou, and Yandex—and allows them to access specified domain names. Must be enabled
Bot Threat Intelligence Identifies suspicious IP addresses associated with dialers, on-premises data centers, and malicious scanners. Maintains a dynamic library of known malicious crawler IPs to block access to your websites or specific directories. Must be enabled
Data Risk Control Protects business-critical endpoints—such as registration, login, campaign, and forum pages—against fraud and abuse. Must be enabled
Mobile App Protection Provides secure connections and anti-bot protection for native applications. Detects and blocks proxies, emulators, and requests with invalid signatures. Must be enabled
Access Control/Throttling
Feature What it does Default state
HTTP Flood Protection Defends against HTTP flood attacks using configurable protection modes. On by default
IP Address Blacklist Blocks requests from specified IP addresses, CIDR blocks, or geographic regions. Must be enabled
Scanning Protection Automatically blocks source IPs that trigger multiple web attacks or targeted directory traversal attempts within a short window. Also blocks IPs from common scan tools and the Alibaba Cloud malicious IP library. Must be enabled
Custom Protection Policy Lets you define access control rules and rate limiting based on precise match conditions. Must be enabled
Protection Lab
Feature What it does Default state
Account Security Monitors authentication endpoints—such as registration and login pages—for threats including credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS flood attacks. Must be enabled
Whitelist

Configure whitelists to exclude specific requests from one or more protection features.

Feature Scope Default state
Website Whitelist Matching requests bypass all protection features and go directly to origin servers. Must be enabled
Web intrusion prevention whitelist Matching requests bypass specified web security features, such as the protection rules engine. Must be enabled
Data SecurityWhitelist Matching requests bypass website tamper-proofing, data leakage prevention, and account security. Must be enabled
Bot ManagementWhitelist Matching requests bypass bot threat intelligence, data risk control, intelligent algorithm, and application protection. Must be enabled
Access Control/ThrottlingWhitelist Matching requests bypass HTTP flood protection, IP address blacklist, scan protection, and custom protection policies. Must be enabled

Disable WAF protection

To disable WAF protection, go to Asset Center > Website Access in the WAF 2.0 console and turn off WAF Protection.

When WAF protection is disabled, traffic bypasses the WAF protection engine and WAF stops logging monitored and blocked requests. If you perform operations such as emergency tests that require WAF protection to be temporarily disabled, we recommend that you go to the Protected Objects page in the WAF 2.0 console and enable WAF protection again after the operations are complete to resume logging monitored and blocked requests. This helps reduce the potential exposure of your assets.

Important

If you enable the API security module, disabling WAF protection does not stop it—its detection process continues running, and traffic fees for the API security module still apply. For pay-as-you-go WAF instances, feature fees and basic request fees also continue to accrue during the disabled period. Billing is suspended only for bot management, risk identification, and custom rules.

Disabling WAF protection is not supported for Microservices Engine (MSE) and Function Compute (FC) that are added to WAF. For websites deployed in a hybrid cloud environment, disabling WAF protection applies only when the hybrid cloud version meets specific conditions. For version requirements, contact your business manager or submit a ticket to contact Alibaba Cloud technical support, who will provide you with specific version information.