Web Application Firewall (WAF) inspects incoming HTTP and HTTPS traffic and applies protection rules to block malicious requests before they reach your origin servers. This page lists all available protection features, their default state, and links to configuration guides.
Protection features
Features marked On by default are active as soon as you add a domain name. All others must be enabled manually.
| Feature | What it does | Default state |
|---|---|---|
| Protection Rules Engine | Blocks common web attacks based on built-in rules, including SQL injection, cross-site scripting (XSS), webshells, command injection, backdoor isolation, invalid file requests, path traversal, and exploitation of common vulnerabilities. | On by default |
| Protection Rule Group | Lets you combine protection rules into a Protection Rules Engine and apply it to specific websites. Custom rule groups are available for the protection rules engine only. | Must be enabled |
| Website Tamper-proofing | Locks specific web pages so that WAF serves a cached copy when those pages are requested, preventing unauthorized modifications. | Must be enabled |
| Data Leakage Prevention | Scans server responses and masks sensitive data—such as ID card numbers, bank card numbers, phone numbers, and sensitive words—before returning masked information or default error pages to visitors. | Must be enabled |
| Positive Security Model | Uses machine learning to analyze normal traffic patterns for your website and automatically generates tailored security policies based on that baseline. | Must be enabled |
| Feature | What it does | Default state |
|---|---|---|
| Authorized Crawler | Maintains a whitelist of trusted search engine crawlers—Google, Bing, Baidu, Sogou, and Yandex—and allows them to access specified domain names. | Must be enabled |
| Bot Threat Intelligence | Identifies suspicious IP addresses associated with dialers, on-premises data centers, and malicious scanners. Maintains a dynamic library of known malicious crawler IPs to block access to your websites or specific directories. | Must be enabled |
| Data Risk Control | Protects business-critical endpoints—such as registration, login, campaign, and forum pages—against fraud and abuse. | Must be enabled |
| Mobile App Protection | Provides secure connections and anti-bot protection for native applications. Detects and blocks proxies, emulators, and requests with invalid signatures. | Must be enabled |
| Feature | What it does | Default state |
|---|---|---|
| HTTP Flood Protection | Defends against HTTP flood attacks using configurable protection modes. | On by default |
| IP Address Blacklist | Blocks requests from specified IP addresses, CIDR blocks, or geographic regions. | Must be enabled |
| Scanning Protection | Automatically blocks source IPs that trigger multiple web attacks or targeted directory traversal attempts within a short window. Also blocks IPs from common scan tools and the Alibaba Cloud malicious IP library. | Must be enabled |
| Custom Protection Policy | Lets you define access control rules and rate limiting based on precise match conditions. | Must be enabled |
| Feature | What it does | Default state |
|---|---|---|
| Account Security | Monitors authentication endpoints—such as registration and login pages—for threats including credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS flood attacks. | Must be enabled |
Configure whitelists to exclude specific requests from one or more protection features.
| Feature | Scope | Default state |
|---|---|---|
| Website Whitelist | Matching requests bypass all protection features and go directly to origin servers. | Must be enabled |
| Web intrusion prevention whitelist | Matching requests bypass specified web security features, such as the protection rules engine. | Must be enabled |
| Data SecurityWhitelist | Matching requests bypass website tamper-proofing, data leakage prevention, and account security. | Must be enabled |
| Bot ManagementWhitelist | Matching requests bypass bot threat intelligence, data risk control, intelligent algorithm, and application protection. | Must be enabled |
| Access Control/ThrottlingWhitelist | Matching requests bypass HTTP flood protection, IP address blacklist, scan protection, and custom protection policies. | Must be enabled |
Disable WAF protection
To disable WAF protection, go to Asset Center > Website Access in the WAF 2.0 console and turn off WAF Protection.
When WAF protection is disabled, traffic bypasses the WAF protection engine and WAF stops logging monitored and blocked requests. If you perform operations such as emergency tests that require WAF protection to be temporarily disabled, we recommend that you go to the Protected Objects page in the WAF 2.0 console and enable WAF protection again after the operations are complete to resume logging monitored and blocked requests. This helps reduce the potential exposure of your assets.
If you enable the API security module, disabling WAF protection does not stop it—its detection process continues running, and traffic fees for the API security module still apply. For pay-as-you-go WAF instances, feature fees and basic request fees also continue to accrue during the disabled period. Billing is suspended only for bot management, risk identification, and custom rules.
Disabling WAF protection is not supported for Microservices Engine (MSE) and Function Compute (FC) that are added to WAF. For websites deployed in a hybrid cloud environment, disabling WAF protection applies only when the hybrid cloud version meets specific conditions. For version requirements, contact your business manager or submit a ticket to contact Alibaba Cloud technical support, who will provide you with specific version information.