Create a web core protection rule.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
yundun-waf:CreateDefenseRule |
create |
*All Resource
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| InstanceId |
string |
Yes |
The ID of the WAF instance. Note
You can call the DescribeInstance operation to get the ID of your WAF instance. |
waf_v2_public_cn-**** |
| TemplateId |
integer |
No |
The ID of the protection rule template. Note
This parameter is required only when DefenseType is set to template. |
1122 |
| DefenseScene |
string |
Yes |
The scenario to which the protection rule is applied. If DefenseType is set to template, valid values are:
If DefenseType is set to resource, valid values are:
If DefenseType is set to global, valid values are:
Note
You can apply a global custom response to a protected object or a rule. If you configure custom response rules at different levels, the rule with the finest-grained scope takes precedence. The priority is as follows: rule > protected object > default page. |
waf_group |
| Rules |
string |
Yes |
The details of the protection rule. This value is a JSON string. Note
The parameters in the JSON string vary based on the value of DefenseScene. For more information, see Protection rule parameters. |
waf_group |
| ResourceManagerResourceGroupId |
string |
No |
The ID of the resource group. |
rg-acfm***q |
| DefenseType |
string |
No |
The type of the protection rule. Valid values:
|
template |
| RegionId |
string |
No |
The region where the WAF instance is deployed. Valid values:
|
cn-hangzhou |
| Resource |
string |
No |
The protected object to which the rule applies. Note
This parameter is required only when DefenseType is set to resource. |
sec****-waf |
Protection rule parameters
Template protection rule (template)
When DefenseType is set to template, the rule configuration is as follows.
Basic protection rules (waf_group)
Parameters
| Parameter | Type | Required | Example | Description |
| status | Integer | Required | 1 | Specifies the initial status of the defense rule. To change the status later, call the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | Required | block | Specifies the action for the defense rule. Valid values: - block: blocks matching requests. - monitor: monitors matching requests. |
| policyId | Long | Optional | 1012 | Specifies the ID of the defense rule group. Defaults to the medium rule group (1012). |
| protectionType | String | Optional | sema | Specifies the type of defense rule. Valid values: - regular (default): regular expression protection. - sema: semantic protection. |
| config | String | Optional | {"nonInjectionSql":1} | Specifies the custom configuration as a JSON string. For a detailed list of settings, refer to the config object documentation. |
Parameters
When protectionType is set to sema, where the basic protection rule is semantic protection.
| Parameter | Type | Required | Example | Description |
| nonInjectionSql | Integer | Yes | 1 | Indicates whether non-injection attack detection is enabled. Valid values: - 0: disabled. - 1 (default): enabled. |
Example
{
"DefenseScene": "waf_group",
"TemplateId": 322,
"InstanceId": "waf_cn****",
"Rules": "[{\"status\":1,\"policyId\":1012,\"action\":\"block\"},{\"status\":1,\"action\":\"block\",\"protectionType\":\"sema\",\"config\":\"{\\\"nonInjectionSql\\\":1}\"}]"
}
New core web protection (waf_base)
Parameters
| Parameter | Type | Required | Example value | Description |
| autoUpdate | Boolean | Required | true | Specifies whether to enable automatic updates. Valid values: - true: Enables automatic updates. - false: Disables automatic updates. |
| config | Array | Required | [{"ruleType":"system","ruleDetail":[{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]}] | The rule configuration to modify. Important Call the DescribeBaseSystemRules operation to query the template's system protection rule configuration. Call the DescribeDefenseRules operation to query the template's custom regular expression rule configuration. |
config: Configuration details
| Parameter | Type | Required | Example value | Description |
| ruleType | String | Required | system | The rule type. Valid values: - system: A system rule for Basic Protection. - custom: A custom regular expression rule for Basic Protection. |
| ruleBatchOperationConfig | String | Optional | default | Specifies the batch operation for rules. This parameter cannot be used with the RuleDetail parameter. Valid values:- default: Restores the default settings. - all_on: Enables all rules. - all_off: Disables all rules. - all_block: Sets the action of all rules to Block. - all_monitor: Sets the action of all rules to Monitor. |
| ruleDetail | Array | Optional | [{"ruleId":13000412,"ruleStatus":1,"ruleAction":"block"}]] | The details of the rules to modify. Properties: - ruleId: The rule ID. - ruleStatus: The rule status. - ruleAction: The rule action. |
Example
{
"DefenseScene": "waf_base",
"TemplateId": 322,
"InstanceId": "waf_cn****",
"Rules": "[{\"autoUpdate\":true,\"config\":[{\"ruleType\":\"system\",\"ruleDetail\":[{\"ruleId\":13000412,\"ruleStatus\":1,\"ruleAction\":\"block\"}]}]}]"
}
Antiscan rules
Parameters
| Parameter | Type | Required | Example value | Description |
| protectionType | String | required | highfreq | The subtype of the scan protection rule. Valid values: - highfreq: high-frequency scan blocking. - dirscan: directory traversal blocking. - scantools: scan tool blocking. |
| status | Integer | required | 1 | The status of the protection rule. This parameter is used only when you create a protection rule. To modify the status, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | required | block | The action for the protection rule. Valid values: - block: blocks matching requests. - monitor: monitors matching requests. |
| actionExternal | JSON | optional | {"responseRuleId":123444} | Specifies the extended configuration for the rule's action, allowing you to define a custom response. For example, if the action parameter is set to block, you can specify a custom block page. |
| config | String | optional | {"target":"remote_addr","interval":60,"ttl":180,"count":20} | Custom configuration, specified as a JSON string. For more information, see Details of the config parameter. |
Detailed configuration
When protectionType is set to highfreq (for high-frequency scan blocking)
| Parameter | Type | Required | Example | Description |
| target | String | Yes | remote_addr | The statistic object type. Valid values: - remote_addr (default): IP address. - cookie.acw_tc: session. - header: custom header. If you select this value, specify the header field in the subKey parameter. - queryarg: custom parameter. If you select this value, specify the parameter name in the subKey parameter. - cookie: custom cookie. If you select this value, specify the cookie name in the subKey parameter. |
| subKey | String | No | abc | The specific field of the statistic object. Required when target is set to cookie, header, or queryarg. |
| interval | Integer | No | 60 | The detection duration in seconds. The default value is 60. The value must be an integer from 5 to 1,800. |
| ttl | Integer | No | 1800 | The blocking duration in seconds. The default value is 1,800. The value must be an integer from 60 to 86,400. |
| count | Integer | No | 20 | Maximum number of times a basic protection rule can be triggered. The default value is 20. The value must be an integer from 3 to 50,000. |
| ruleIdCount | Integer | No | 2 | Maximum number of triggered rules. The default value is 2. The value must be an integer from 1 to 50. |
When protectionType is set to dirscan (the scan protection rule for blocking directory traversal)
| Parameter | Type | Required | Value | Description |
| target | String | Required | remote_addr | The target object for statistics and blocking. Valid values: - remote_addr (default): IP - cookie.acw_tc: session - header: custom header - queryarg: custom parameter - cookie: custom cookie |
| subKey | String | Optional | 1 | The sub-key of the target object. Specify this parameter only when target is set to header, queryarg, or cookie. |
| interval | Integer | Optional | 60 | The detection duration, in seconds. Valid values: 5 to 1,800. Default: 60. |
| ttl | Integer | Optional | 1800 | The block duration, in seconds. Valid values: 60 to 86,400. Default: 1,800. |
| count | Integer | Optional | 20 | The maximum number of times a basic protection rule can be triggered. Valid values: 3 to 50,000. Default: 20. |
| weight | Float | Optional | 0.5 | The ratio of 404 response codes. Valid values: 0.01 to 1.0 (with a precision of two decimal places). Default: 0.7. |
| uriNum | Integer | Optional | 50 | The maximum number of non-existent directories. Valid values: 2 to 50,000. Default: 50. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2222,
"DefenseScene": "antiscan",
"Rules": "[{\"protectionType\":\"scantools\",\"action\":\"block\",\"status\":1},{\"protectionType\":\"dirscan\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":10,\\\"ttl\\\":1800,\\\"weight\\\":0.7,\\\"uriNum\\\":50,\\\"count\\\":50}\"},{\"protectionType\":\"highfreq\",\"status\":1,\"action\":\"block\",\"config\":\"{\\\"target\\\":\\\"remote_addr\\\",\\\"interval\\\":60,\\\"ttl\\\":1800,\\\"count\\\":20,\\\"ruleIdCount\\\":2}\"}]"
}
IP blacklist (ip_blacklist)
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | iptest | The name of the ip blacklist rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| status | Integer | Required | 1 | The rule status. Use this parameter only when you create a protection rule. To modify the rule status, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disable - 1 (default): enable |
| action | String | Required | block | The rule action. Valid values: - block: Blocks requests. - monitor: Monitors requests. |
| actionExternal | JSON | Optional | {"responseRuleId":123444} | Extended configuration for the rule action. This parameter applies only to the new custom response feature. When action is set to block, you can specify a custom block page. |
| remoteAddr | Array | Required | ["1.1.XX.XX", "3.1.XX.XX/24"] | The IP addresses or CIDR blocks to add to the ip blacklist. Use the format ["ip1","ip2",...]. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2222,
"DefenseScene": "ip_blacklist",
"Rules": "[{\"name\":\"iptest1\",\"remoteAddr\":[\"1.1.1.2\",\"3.3.3.3/24\"],\"action\":\"monitor\",\"status\":1},{\"name\":\"iptest2\",\"remoteAddr\":[\"4.4.4.4\",\"5.5.5.5/32\"],\"action\":\"block\",\"status\":1}]"
}
Custom rule (custom_acl)
Parameters
| Parameter | Type | Required | Example | Description |
| name | String | Yes | iptest | The name of the custom ACL rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| status | Integer | Yes | 1 | Specifies the status of the protection rule. This parameter applies only when you create a protection rule. To change the status of an existing rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values:- 0: disabled - 1 (default): enabled |
| action | String | Yes | block | Specifies the action of the protection rule. Valid values: - block: Blocks the request. - monitor: Monitors the request. - js: Triggers a JS challenge. - captcha: Triggers a CAPTCHA. - captcha_strict: Triggers a strict CAPTCHA. Note The actions available for custom ACL rules are limited to those shown in the WAF console. |
| actionExternal | JSON | No | {"responseRuleId":123444} | Specifies the extended configuration for the protection rule action. This parameter is available only for the new version of custom responses. When action is set to block, you can specify a custom block page. When action is set to captcha/ captcha_strict, you can specify a custom CAPTCHA page. |
| conditions | Array | Yes | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | Specifies the match conditions for the ACL rule. The value is a JSON string. You can specify up to five match conditions. For more information, see the description of conditions in Parameters of protection rules. |
| ccStatus | Integer | Yes | 1 | Specifies whether to enable rate limiting. Valid values: - 0: Disables rate limiting. - 1: Enables rate limiting. |
| ratelimit | JSON | No | {"target":"remote_addr","interval":5,"threshold":2,"ttl":1800,"status":{"code":404,"count":2}} | Specifies the detailed configuration for rate limiting. The value is a JSON string. This parameter is required only when ccStatus is set to 1. For more information, see the description of ratelimit in Parameters of protection rules. |
| effect | String | No | rule | Specifies the scope of rate limiting. This parameter is required only when ccStatus is set to 1. Valid values:- service: Applies to the protected object. - rule: Applies to the single rule. |
| grayStatus | Integer | No | 1 | Specifies whether to enable grayscale release for the rule. Valid values: - 0 (default): Disables grayscale release. - 1: Enables grayscale release. |
| grayConfig | JSON | No | {"grayTarget":"header","grayRate":80,"graySubKey":"test"} | Specifies the configuration for the grayscale release. The value is a JSON string. This parameter is required only when grayStatus is set to 1. For more information, see the description of grayConfig in Parameters of protection rules. |
| timeConfig | JSON | No | {"timeScope":"period","timeZone":8,"timePeriods":[{"start":1758771729787,"end":1758816000000}]} | Specifies the schedule that determines when the rule is active. The value is a JSON string. For more information, see the description of timeConfig in Parameters of protection rules. |
Example
The provided document was analyzed for user interface (UI) terms according to the established criteria.
The document contains a JSON code example, which consists of API parameters and code variables. Per the exclusion criteria, these are not considered UI elements such as buttons, menus, or labels.
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 6242,
"DefenseScene": "custom_acl",
"Rules":"[{\"name\":\"acl_test\",\"action\":\"block\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain\",\"values\":\"abc\"}],\"ratelimit\":{\"target\":\"remote_addr\",\"interval\":5,\"threshold\":2,\"ttl\":1800,\"status\":{\"code\":404,\"count\":2}},\"ccStatus\":1,\"effect\":\"rule\",\"status\":1,\"origin\":\"custom\",\"timeConfig\":{\"timeScope\":\"cycle\",\"timeZone\":8,\"weekTimePeriods\":[{\"day\":\"1\",\"dayPeriods\":[{\"start\":0,\"end\":51644084}]},{\"day\":\"1,2,5\",\"dayPeriods\":[{\"start\":0,\"end\":42928908}]}]},\"grayStatus\":1,\"grayConfig\":{\"grayRate\":80,\"graySubKey\":\"test\",\"grayTarget\":\"header\"}}]"
}
Therefore, no UI terms were extracted from the document.
UI term extraction requires documentation containing interface descriptions, operational steps, or screenshots.
Whitelist
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | whitelistTest | The name of the whitelist rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| status | Integer | Required | 1 | The status of the protection rule. Use this parameter only when you create a protection rule. To modify the rule's status, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values:- 0: Disabled. - 1 (default): Enabled. |
| conditions | Array | Required | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | A JSON string that contains an array of match conditions for the whitelist. You can specify up to five match conditions. For more information, see the description of conditions in Protection Rule Parameter Configuration. |
| tags | Array | Required | ["waf", "regular"] | The protection modules to which the whitelist rule applies. Specify the values in the ["XX1", "XX2",...] format. Valid values:- waf: All modules - customrule_rule: Specific custom rule - customrule: custom rules - blacklist: IP blacklist - blacklist_rule: Specific IP blacklist rule - antiscan: scan protection - regular: basic protection rules - regular_rule: Specific basic protection rule - regular_type: Specific basic protection rule type - regular_field: Specific basic protection field - major_protection: Major event protection - cc: CC protection - region_block: region blocking - antibot_scene: bot protection - antibot_scene_rule: Specific bot protection rule ID - antibot_scene_label: Specific bot protection rule type - dlp: data loss prevention - tamperproof: web tamper proofing - spike_throttle: spike throttling protection |
| regularRules | Array | Optional | [ "111111", "222222" ] | A list of basic protection rule IDs to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to regular_rule. |
| regularTypes | Array | Optional | [ "xss", "css" ] | A list of basic protection rule types to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to regular_type. Valid values:- sqli: SQL injection - xss: cross-site scripting - code_exec: code execution - crlf: CRLF - lfilei: local file inclusion - rfilei: remote file inclusion - webshell: webshell - csrf: CSRF - other: Other |
| regularFields | Array | Optional | [{"key":"URL"},{"key":"Header","subKey":"abc"}] | A JSON string that contains an array of fields to exclude from basic protection. You can specify up to five fields. For more information, see regularFields Configuration. Configure this parameter only when the tags parameter is set to regular_field. |
| customRules | Array | Optional | [ "111111", "222222" ] | A list of custom rule IDs to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to customrule_rule. |
| blacklistRules | Array | Optional | [ "111111", "222222" ] | A list of IP blacklist rule IDs to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to blacklist_rule. |
| botRules | Array | Optional | [ "111111", "222222" ] | A list of bot protection rule IDs to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to antibot_scene_rule. |
| botLables | Array | Optional | [ "abc", "cdcc" ] | A list of bot protection rule types to exclude from detection. Specify the values in the ["XX1", "XX2",...] format. Configure this parameter only when the tags parameter is set to antibot_scene_label. You can call the DescribeBotRuleLabels operation to query the available rule types. |
Configuring regularFields
| Parameter | Type | Required | Example value | Description |
| key | String | required | URL | The field to ignore. Valid values: - URL-All: all fields of the URI. - URL: the entire URI. - URLPath: the URI path. - Query-All: all query arguments. - Query-Arg: a specified query argument. - Cookie-All: all cookies. - Cookie-Exact: a specified cookie name. - Header-All: all headers. - Header: a specified header field. - Body-All: all arguments in the request body. |
| subKey | String | optional | abc | The specific field to ignore. Required if key is URLPath, Query-Arg, Cookie-Exact, or Header. |
Example
Custom response rule (custom_response)
Parameters
| Parameter | Type | Required | Example value | Description |
| responseType | String | Yes | response_block | The custom response type. Set this to response_block to block the request. |
| status | Integer | Yes | 1 | The status of the defense rule. This parameter is used only when you create a defense rule. To modify the status of an existing rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| config | String | Yes | {"responseCode":400,"responseHeaders":[{"key":"custom","value":"123"},{"key":"aaa","value":"2223"}],"responseContent":"HelloWorld"} | The custom configuration, specified as a JSON string. For details, see config parameter details. |
Config
| Parameter | Type | Required | Example | Description |
| responseCode | Integer | required | 400 | The response code. |
| responseHeaders | Array | optional | [{"key":"custom","value":"123"},{"key":"aaaa","value":"2223"}] | A list of custom response headers, formatted as a JSON string. The key is the header field, and the value is the header value. |
| responseContent | String | required | helloworld | The content of the custom response. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2841,
"DefenseScene": "custom_response",
"Rules":"[{\"responseType\":\"response_block\",\"config\":\"{\\\"templateName\\\":\\\"aaa\\\",\\\"responseCode\\\":\\\"400\\\",\\\"responseContent\\\":\\\"helloWorld\\\",\\\"responseHeaders\\\":[{\\\"key\\\":\\\"test1\\\",\\\"value\\\":\\\"abc\\\"}]}\",\"status\":1}]"
}
Region block rule (region_block)
Parameters
| Parameter | Type | Required | Example value | Description |
| cnRegionList | String | Optional | 610000,230000 | A comma-separated list of region codes for Chinese mainland regions. Specify ["CN"] to block all Chinese mainland regions (excluding Hong Kong, Macao, and Taiwan). For the definitions of the region codes, see Description of region codes in the Chinese mainland. |
| abroadRegionList | String | Optional | KE,KG | A comma-separated list of country and region codes for regions outside the Chinese mainland. Call the DescribeIpAbroadCountryInfos operation to query the supported country and region codes. |
| status | Integer | Required | 1 | Specifies the status of the protection rule. This parameter applies only when creating a protection rule. To modify the status of an existing protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: Disabled. - 1 (default): Enabled. |
| action | String | Required | block | Specifies the action to perform. Valid values: - block: blocks matching requests. - monitor: monitors matching requests; captcha: performs a CAPTCHA challenge on matching requests; captcha_strict: performs a strict CAPTCHA challenge on matching requests. |
| actionExternal | JSON | Optional | {"responseRuleId":123444} | Specifies the extended configuration for the action. This parameter is available only with the custom response feature. When action is set to block, you can specify a custom block page. When action is set to captcha or captcha_strict, you can specify a custom CAPTCHA page. |
Chinese mainland region IDs
{
"110000": "Beijing",
"120000": "Tianjin",
"130000": "Hebei",
"140000": "Shanxi",
"150000": "Inner Mongolia",
"210000": "Liaoning",
"220000": "Jilin",
"230000": "Heilongjiang",
"310000": "Shanghai",
"320000": "Jiangsu",
"330000": "Zhejiang",
"340000": "Anhui",
"350000": "Fujian",
"360000": "Jiangxi",
"370000": "Shandong",
"410000": "Henan",
"420000": "Hubei",
"430000": "Hunan",
"440000": "Guangdong",
"450000": "Guangxi",
"460000": "Hainan",
"500000": "Chongqing",
"510000": "Sichuan",
"520000": "Guizhou",
"530000": "Yunnan",
"540000": "Tibet",
"610000": "Shaanxi",
"620000": "Gansu",
"630000": "Qinghai",
"640000": "Ningxia",
"650000": "Xinjiang",
"MO_01": "Macao SAR, China",
"HK_01": "Hong Kong SAR, China",
"TW_01": "Taiwan, China",
"CN": "Mainland China"
}
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2341,
"DefenseScene": "region_block",
"Rules": "[{\"cnRegionList\":\"CN,HK_01,TW_01,MO_01\",\"abroadRegionList\":\"AU,NZ\",\"action\":\"block\",\"status\":1}]"
}
Protection rules (CC)
Parameters
| Parameter | Type | Required | Example | Description |
| mode | Integer | Yes | 0 | The CC protection mode. Valid values: - 0 (default): normal protection. - 1: emergency protection. |
| status | Integer | Yes | 1 | The protection rule status. Set this parameter only when you create a protection rule. To modify the protection rule status, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
| action | String | No | js | The protection rule action. Valid values: - js (default): JS challenge. - monitor: monitor. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2241,
"DefenseScene": "cc",
"Rules":"[{\"mode\":0,\"status\":1,\"action\":\"js\"}]"
}
Website tamper-proofing rule (tamperproof)
Parameters
| Parameter | Type | Required | Example | Description |
| name | String | Yes | test | The name of the defense rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| url | String | Yes | /abc | The URL of the cached page. |
| ua | String | No | app | The user-agent for accessing this path. |
| protocol | String | Yes | https | The protocol of the cached page URL. Valid values: http and https. |
| status | Integer | Yes | 1 | The status of the defense rule. This parameter is for rule creation only. To modify the status, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: disabled. - 1 (default): enabled. |
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 1241,
"DefenseScene": "tamperproof",
"Rules": "[{\"name\":\"test1\",\"url\":\"www.test1.com\",\"ua\":\"firefox\",\"protocol\":\"https\",\"status\":1}]"
}
DLP rules
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | test | The name of the protection rule. It must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| conditions | Array | Required | [{"key":"HttpCode","opValue":"contain","values":"400,401,402,403,404,405,500,501,502,503,504,505"},{"key":"URL","opValue":"contain","values":"test"}] | The match conditions, specified as a JSON string. You can specify up to two match conditions, which are combined with a logical AND. For details, see Detailed conditions configuration. |
| status | Integer | Required | 1 | The status of the protection rule. This parameter applies only when creating a protection rule. To modify the status of a protection rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values: - 0: Disabled - 1 (default): Enabled |
| action | String | Required | block | The action to perform when a request matches the rule. Valid values: - block: Blocks the request. This action is available only if the match conditions include a response code. - monitor: Monitors the request. - filter: Filters for sensitive information. This action is available only if a sensitive information match condition is configured. |
Condition parameters
| Parameter | Type | Required | Example | Description |
| key | String | required | URL | The match field. Valid values: URL, HttpCode, and SensitiveInfo. |
| opValue | String | required | contain | The logical operator. The value is always contain. |
| values | String | required | abc | The content to match. Separate multiple values with a comma (,). For HttpCode, the valid values are: 400, 401, 402, 403, 404, 405 (for the 405–499 range), 500, 501, 502, 503, 504, and 505 (for the 505–599 range). For SensitiveInfo, the valid values are: - phone: Phone number. - card: Credit card. - id: ID card. - word: Default sensitive word. |
Example
Spike throttle (spike_throttle)
Parameters
| Parameter | Type | Required | Example | Description |
| name | String | Yes | iptest | The name of the rate limiting rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| status | Integer | Yes | 1 | The status of the defense rule. This parameter is for rule creation only. To modify the status of a defense rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values:- 0: Disabled. - 1 (default): Enabled. |
| action | String | Yes | block | The rule action. Valid values: - block: Blocks matching requests. - monitor: Monitors matching requests. |
| actionExternal | JSON | No | {"responseRuleId":123444} | The extended configuration for the rule action. This is used to specify a custom block page when action is set to block. |
| conditions | Array | Yes | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | The match conditions for the ACL, specified as a JSON array. You can define up to five match conditions. For detailed configuration, see the conditions description in Defense Rule Parameter Configuration. |
| cnRegionList | String | No | 610000,230000 | The regions in the Chinese mainland to block. To block all regions in the Chinese mainland (excluding Hong Kong, Macao, and Taiwan), specify "CN". Separate multiple region codes with commas (,). For a list of region codes, see Region Codes for the Chinese mainland. |
| abroadRegionList | String | No | KE,KG | The regions outside the Chinese mainland to block. Separate multiple region codes with commas (,). You can call the DescribeIpAbroadCountryInfos operation to query the supported countries and regions. |
| type | String | Yes | qps | The rate limiting mode. Valid values: - qps: Limits traffic based on queries per second (QPS). - ratio (default): Limits traffic by percentage. |
| threshold | Integer | Yes | 500 | The rate limiting threshold. Its meaning depends on the type parameter: - If the type is qps: Specifies the QPS threshold. The valid range is 1 to 5,000,000. Requests exceeding this threshold are blocked. - If the type is ratio: Specifies the percentage of requests to allow. The valid range is 1 to 99. For example, a value of 80 allows 80% of requests. |
Region IDs in Chinese mainland
{
"110000": "Beijing Municipality",
"120000": "Tianjin Municipality",
"130000": "Hebei Province",
"140000": "Shanxi Province",
"150000": "Inner Mongolia Autonomous Region",
"210000": "Liaoning Province",
"220000": "Jilin Province",
"230000": "Heilongjiang Province",
"310000": "Shanghai Municipality",
"320000": "Jiangsu Province",
"330000": "Zhejiang Province",
"340000": "Anhui Province",
"350000": "Fujian Province",
"360000": "Jiangxi Province",
"370000": "Shandong Province",
"410000": "Henan Province",
"420000": "Hubei Province",
"430000": "Hunan Province",
"440000": "Guangdong Province",
"450000": "Guangxi Zhuang Autonomous Region",
"460000": "Hainan Province",
"500000": "Chongqing Municipality",
"510000": "Sichuan Province",
"520000": "Guizhou Province",
"530000": "Yunnan Province",
"540000": "Tibet Autonomous Region",
"610000": "Shaanxi Province",
"620000": "Gansu Province",
"630000": "Qinghai Province",
"640000": "Ningxia Hui Autonomous Region",
"650000": "Xinjiang Uygur Autonomous Region",
"MO_01": "Macao, China",
"HK_01": "Hong Kong, China",
"TW_01": "Taiwan, China",
"CN": "Chinese mainland",
}
Example
{
"InstanceId": "waf_v2_public_****",
"TemplateId": 2341,
"DefenseScene": "spike_throttle",
"Rules":"[{\"name\":\"test\",\"action\":\"monitor\",\"conditions\":[{\"key\":\"URL\",\"opValue\":\"contain-one\",\"values\":\"abctest,abctest2\"}],\"status\":1,\"type\":\"qps\",\"threshold\":1000,\"cnRegionList\":\"110000,140000\",\"abroadRegionList\":\"AD,AL\"}]"}
}
Bot management rules (bot_manager)
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | iptest | The name of the advanced custom BOT ACL rule. The name must be 1 to 255 characters long and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| status | Integer | Required | 1 | The rule status. This parameter applies only when you create a rule. To modify the status of an existing rule, use the RuleStatus parameter of the ModifyDefenseRuleStatus operation. Valid values:- 0: Disabled. - 1 (default): Enabled. |
| action | String | Required | block | The rule action. Valid values: - block: Block. - monitor: Monitor. - js: JS challenge. - captcha: CAPTCHA. - captcha_strict: Strict CAPTCHA. - upstream_tag: Upstream tagging. Note Refer to the WAF console for the list of supported actions. |
| actionExternal | JSON | Optional | {"responseRuleId":123444} or {"upstreamHeader":{"header":"test","systemKey":["type","id"]}} | A JSON string that contains the extended configuration for the rule action. The JSON string contains the following fields: - upstreamHeader: The configuration for upstream tagging. This field applies only when action is set to upstream_tag. For more information, see Upstream Tagging upstreamHeader Configuration.- responseRuleId: The ID of the custom response rule.If action is block, responseRuleId is the ID of a custom block page rule.If action is captcha or captcha_strict, responseRuleId is the ID of a custom CAPTCHA page rule. |
| conditions | Array | Required | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | The match conditions for the ACL rule, specified as a JSON array. You can specify up to 10 match conditions. For more information about the configuration, see the description of conditions in Protection Rule Parameter Configuration. |
| ccStatus | Integer | Required | 1 | Specifies whether the rate limit is enabled. Valid values: - 0: Disabled. - 1: Enabled. |
| ratelimit | JSON | Optional | {"target":"remote_addr","interval":5,"threshold":2,"ttl":1800,"status":{"code":404,"count":2}} | A JSON string that contains the detailed configuration for the rate limit. This parameter applies only when ccStatus is set to 1. For more information about the configuration, see the description of ratelimit in Protection Rule Parameter Configuration. |
| effect | String | Optional | rule | The scope of the rate limit. This parameter applies only when ccStatus is set to 1. Valid values:- service: The rate limit applies to the protected object. - rule: The rate limit applies to a single rule. |
| botBehavior | String | Optional | malicious | The rule category. Valid values: - suspicious (default): Suspicious bot. - malicious: Malicious bot. |
| grayStatus | Integer | Optional | 1 | Specifies whether a canary release is enabled. Valid values: - 0 (default): Disabled. - 1: Enabled. |
| grayConfig | JSON | Optional | {"grayTarget":"header","grayRate":80,"graySubKey":"test"} | A JSON string that contains the configuration for the canary release. This parameter applies only when grayStatus is set to 1. For more information about the configuration, see the description of grayConfig in Protection Rule Parameter Configuration. |
| timeConfig | JSON | Optional | {"timeScope":"period","timeZone":8,"timePeriods":[{"start":1758771729787,"end":1758816000000}]} | A JSON string that contains the schedule configuration for the rule. For more information about the configuration, see the description of timeConfig in Protection Rule Parameter Configuration. |
Back-to-source tagging with upstreamHeader
| Parameter | Type | Required | Example value | Description |
| header | String | Yes | abc | The header name for back-to-origin tagging. |
| systemKey | Array | Yes | ["id","type"] | The system fields for back-to-origin tagging. The order of these fields determines the content of the header. Valid values: - id: The rule ID. - type: The rule type. - websdk.umid: The UMID from the web client. - ssl_client_ja3_fingerprinting_md5: The JA3 fingerprint. - ssl_client_ja4_fingerprinting_md5: The JA4 fingerprint. - http2_client_fingerprint_md5: The HTTP/2 fingerprint. - appsdk.eeid_umid: The device UMID. - appsdk.eeid_running_frame_magisk: Indicates whether the Magisk framework is used. - appsdk.eeid_running_frame_frida: Indicates whether Frida injection is present. - appsdk.eeid_running_frame_fishhook: Indicates whether FishHook injection is present. - appsdk.eeid_running_frame_edxposed: Indicates whether the EdXposed framework is used. - appsdk.is_xposed: Indicates whether the Xposed framework is used. - appsdk.eeid_running_frame_va: Indicates whether the VirtualApp framework is used. - appsdk.eeid_running_frame_cydia: Indicates whether Cydia is installed. - appsdk.eeid_is_batch: Indicates whether the device is a device farm device. - appsdk.eeid_is_root: Indicates whether the device is rooted. - appsdk.eeid_is_fake: Indicates whether the device is a fake device. - appsdk.eeid_is_virtual: Indicates whether app cloning or a virtual environment is used. - appsdk.pkguncrypted: Indicates whether app decryption has occurred. - appsdk.eeid_is_hook: Indicates whether hooking behavior is present. - appsdk.eeid_is_debugged: Indicates whether the app is being debugged. - appsdk.eeid_is_simulator: Indicates whether the device is an emulator. - appsdk.eeid_is_proxy: Indicates whether a proxy is used. - appsdk.eeid_is_highrisk: Indicates whether the device is high-risk. - appsdk.adbstate: Indicates whether ADB is enabled. - appsdk.eeid_abnormal_time: Indicates whether the device time is abnormal. - appsdk.eeid_short_uptime: Indicates whether the device uptime is short. - appsdk.screenon: Indicates whether the screen is on. - appsdk.collectend: Indicates whether data collection has ended. - appsdk.pkgreleasemode: Indicates whether the app is in debug mode. - appsdk.elapsedtime: The elapsed time since boot. - appsdk.isfront: Indicates whether the app is running in the foreground. - appsdk.passwordunlock: Indicates whether the device is screen-locked. - appsdk.fingerprintauth: Indicates whether fingerprint authentication is enabled. - appsdk.brand: The device brand. - appsdk.model: The device model. - appsdk.batterychange: The change in battery level since the last collection. - appsdk.batterystatus: The battery charging status. - appsdk.batterylevel: The battery level. - appsdk.brightness: The screen brightness. - appsdk.packagesign: The package signature hash. - appsdk.screenres: The screen resolution. - appsdk.packagename: The application package name. - appsdk.platform: The platform. - appsdk.hookframe: The hooking framework. -appsdk.version: The APPSDK version. - appsdk.appname: The application name. - appsdk.appversion: The application version. - appsdk.hardware: The hardware name. - appsdk.timestamp: The data collection timestamp. - appsdk.devicename: The device name. - appsdk.product: The product code name. - appsdk.eeid_running_frame_script: Indicates whether automation accessibility tools are installed. Note: The fields available for back-to-origin tagging depend on the specific bot feature. For a list of supported fields, see the bot custom rule settings in the WAF console. |
| customValue | String | No | test | A custom string to include in the header. |
Resource-level rules (resource)
When DefenseType is set to resource, the rule configuration is as follows.
Account extraction (account_identifier)
Each protected object can have only one account extraction rule.
Parameters
| Parameter | Type | Required | Example value | Description |
| accountIdentifiers | array | Yes | [ { "key": "Header","subKey": "header-test", "decodeType": "jwt", "position": "username", "priority": 1 }, { "key": "Post-Arg", "subKey": "body_test", "decodeType": "plain", "priority": 2 } ] | An array of JSON objects that specifies the account identifier configurations. You can provide up to 5 objects. For field descriptions, see the accountIdentifiers data structure. |
accountIdentifiers configuration
| Parameter | Type | Required | Example value | Description |
| key | String | Yes | Query-Arg | The location of the field to extract. Valid values: Query-Arg, Cookie-Exact, Post-Arg, and Header. |
| subKey | String | Yes | query-test | The name of the field to extract from the source specified by the key parameter. |
| decodeType | String | No | jwt | The authentication method. Valid values: - plain: plaintext. - basic: Basic authentication. - jwt: JWT authentication. For JWT authentication, use the position parameter to specify the decoded account field. |
| priority | Integer | Yes | 1 | The matching priority of the extraction policy. A traffic request can match at most one policy. Valid values are integers from 0 to 20, where a lower value indicates a higher priority. Priority values must be unique. |
| position | String | No | account | The field in the decoded JWT payload that contains the account identifier. Required for JWT authentication. |
Example
{
"DefenseScene": "account_identifier",
"Resource": "example.**.com-waf",
"DefenseType": "resource",
"InstanceId": "waf_cn****",
"Rules": "[{\"accountIdentifiers\":[{\"key\":\"Header\",\"subKey\":\"header-test\",\"decodeType\":\"jwt\",\"position\":\"username\",\"priority\":1},{\"key\":\"Post-Arg\",\"subKey\":\"body_test\",\"decodeType\":\"plain\",\"priority\":2}]}]"
}
Custom response rules (custom_response)
You can configure only one custom response rule per protected object. The priority for response pages is as follows: rule level > protected object level > default page.
Parameters
| Parameter | Type | Required | Example value | Description |
| blockRuleId | Long | Optional | 1123 | The rule ID for the custom block page that is returned when a protected object triggers a block. |
| captchaRuleId | Long | Optional | 1123 | The rule ID for the custom slider page that is returned when a protected object triggers a slider challenge. |
Example
{
"DefenseScene": "custom_response",
"Resource": "example.**.com-waf",
"DefenseType": "resource",
"InstanceId": "waf_cn****",
"Rules": "[{\"blockRuleId\":900000,\"captchaRuleId\":900001}]"
}
Protected object decoding (waf_codec)
You can configure only one decoding rule per protected object.
Parameters
| Parameter | Type | Required | Example value | Description |
| codecList | Array | Yes | ["comment","space-zip","json","xml","form","multipart","graphql","js-unicode","url","hex","html","php","java","utf7","oct"] | Specifies the transformations to enable. Valid values: - url: URL decoding (Always enabled). - js-unicode: Unicode decoding (Always enabled). - oct: OCT decoding (Always enabled). - hex: hex decoding (Always enabled). - comment: comment decoding (Always enabled). - space-zip: space decoding (Always enabled). - multipart: Multipart parsing. - json: JSON parsing. - xml: XML parsing. - php: PHP deserialization. - html: HTML entity decoding. - utf7: UTF-7 decoding. - base64: Base64 decoding. - form: Form parsing. - gzip: Gzip decompression. - java: Java deserialization. - graphql: GraphQL parsing. |
Example
{
"DefenseScene": "waf_codec",
"Resource": "example.**.com-waf",
"DefenseType": "resource",
"InstanceId": "waf_cn****",
"Rules": "[{\"codecList\":[\"comment\",\"space-zip\",\"json\",\"xml\",\"form\",\"multipart\",\"graphql\",\"js-unicode\",\"url\",\"hex\",\"html\",\"php\",\"java\",\"utf7\",\"gzip\",\"oct\",\"base64\"]}]"
}
Global dimension (global)
When DefenseType is set to global, the rule configuration is as follows.
Custom regular expression rule (regular_custom)
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | ruleTest | The name of the custom regular expression rule. The name must be 1 to 255 characters in length and can contain Chinese characters, letters, digits, underscores (_), periods (.), and hyphens (-). |
| detectType | String | Required | sqli | The detection type. Valid values: - sqli: SQL injection. - xss: cross-site scripting. - cmdi: OS command injection. - expression_injection: expression injection (including EL, SpEL, and OGNL expressions). - java_deserialization: Java deserialization. - dot_net_deserialization: .NET deserialization. - php_deserialization: PHP deserialization. - code_exec: remote code execution (JNDI/XPATH). - ssrf: server-side request forgery (SSRF). - path_traversal: path traversal. - arbitrary_file_uploading: arbitrary file upload. - webshell: webshell. - rfilei: remote file inclusion (RFI). - lfilei: local file inclusion (LFI). - protocol_violation: protocol violation. - scanner_behavior: scanner behavior. - logic_flaw: logic flaw. - arbitrary_file_reading: arbitrary file read. - arbitrary_file_download: arbitrary file download. - xxe: XML external entity injection (XXE). - csrf: cross-site request forgery (CSRF). - crlf: CRLF injection. - other: other. |
| riskLevel | String | Required | strict | The risk level. Valid values: - super_strict: super strict. - strict: strict. - medium: medium. - loose: loose. |
| description | String | Optional | Rule description. | The description of the rule. |
| condition | Array | Required | [{"key":"IP","opValue":"eq","values":"11.XX.XX.1"},{"key":"Header","subKey":"abc","opValue":"contains","values":"test"}] | The match conditions for the rule, specified as a JSON string. You can specify up to five match conditions. For details, see condition details. |
Condition configuration
| Parameter | Type | Required | Value | Description |
| key | String | required | Query-Arg | The custom match field. Valid values: File-Name, Url, Raw-Url, Request-Url, Http-Method, Directory, Query, Raw-Header, Body, Extension, Union-Args, All-Data, All-Keys, Multipart-Keys, Multipart-Values, Header-Keys, Header-Values, Post-Arg-Keys, Post-Arg-Values, Query-Arg-Keys, Query-Arg-Values, Cookie-Keys, Cookie-Values, Header, Query-Arg, Post-Arg, and Multipart. |
| subKey | String | optional | query-test | The sub-match field. Important A sub-match field is supported only when the match field is Header, Query-Arg, Post-Arg, or Multipart. |
| opValue | String | required | contain | The logical operator. Valid values: regex, prefix-match, suffix-match, eq, and contain. |
| values | String | required | abc | The content to match. Separate multiple values with a comma (,). |
Example
{
"name": "ruleTest",
"detectType": "sqli",
"riskLevel": "strict",
"condition": [{"key": "FileName","opValue": "eq","values": "test"}]
}
Address book (address_book)
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | bookTest | The name of the address book. It must be 1 to 255 characters long and can contain letters, digits, underscores (_), periods (.), and hyphens (-). |
| valueType | String | Required | IP | The type of the address book. Valid values: - IP: The address book contains IP addresses. |
| description | String | Optional | addressbookTest | The description of the address book. |
Example
{
"name": "bookTest",
"valueType": "ip",
"description": "addressbookTest"
}
Custom response (custom_response)
Parameters
| Parameter | Type | Required | Example value | Description |
| name | String | Required | test | The name of the custom response rule. It must be 1–255 characters long and can contain letters, digits, Chinese characters, underscores (_), periods (.), and hyphens (-). |
| action | String | Required | block | The protection rule action. Valid values: - block: Blocks the request. - captcha: Triggers a captcha challenge. |
| responseCode | Integer | Optional | 400 | The response code to return. - Required for a custom block page. - Not supported for a custom captcha page, which returns a 200 response code. |
| responseHeaders | Array | Optional | [{"key":"custom","value":"123"},{"key":"aaaa","value":"2223"}] | A list of custom response headers, specified as a JSON string. In each object, key is the header field and value is the header value. |
| designType | String | Optional | custom | The response configuration type. This parameter is required only when action is set to captcha. Valid values: - custom: A custom configuration. - preDefine: A predefined configuration. |
| responseContent | String | Optional | helloworld | The custom response content. This parameter is required for custom captcha or custom block pages. |
| preDefineContent | Array | Optional | [{"language":"cn","title":"test","description":"desc","captchaColor":"#FFFF","showTraceId":false},{"language":"en","title":"titel","description":"desc","captchaColor":"#FFFF","showTraceId":false}] | The predefined configuration content. This parameter is required when designType is set to preDefine. For details, see the Detailed predefined configuration section. |
Predefined Configuration Details
| Parameter | Type | Required | Example value | Description |
| language | String | Yes | en | The language configuration. Valid values: - en: English. - cn: Chinese. |
| icon | String | Yes | https://img.alicdn.com/imgextra/i1/O1CN01L12MaQ1ZwfYKk7Yrc_!!6000000003259-2-tps-900-594.png | The URL of a publicly accessible icon. |
| title | String | Yes | test_title | The custom title for the slider page. |
| description | String | Yes | For a better experience, slide to complete the verification before accessing the web page. | The custom description for the slider page. |
| captchaColor | String | Yes | #ff6a00 | The color of the slider. |
| showTraceId | boolean | Yes | true | Specifies whether to display the Trace ID on the slider page. Valid values: - true: Displays the Trace ID. - false: Hides the Trace ID. |
Custom block page configuration
{
"name": "test",
"action": "block",
"responseContent": "helloworld",
"responseCode": 401,
"responseHeaders": [{"key":"t1","value":"v1"}],
}
Predefined slider page configuration
{
"name": "test",
"designType": "preDefine",
"action": "captcha",
"responseHeaders": [
{
"key": "Content-Type",
"value": "text/html"
}
],
"preDefineContent": [
{
"language": "en",
"icon": "https://img.alicdn.com/imgextra/i1/O1CN01L12MaQ1ZwfYKk7Yrc_!!6000000003259-2-tps-900-594.png",
"title": "Access Verification",
"description": "Slide to complete verification.",
"captchaColor": "#ff6a00",
"showTraceId": true
}
]
}
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response is an object with the following structure. |
||
| RequestId |
string |
The request ID. |
26E46541-7AAB-5565-801D-F14DBDC5**** |
| RuleIds |
string |
The comma-separated IDs of the created protection rules. |
22215,23354,462165 |
Examples
Success response
JSON format
{
"RequestId": "26E46541-7AAB-5565-801D-F14DBDC5****",
"RuleIds": "22215,23354,462165"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | Defense.Control.DefenseWhitelistBypassRuleNotExist | The whitelist protection rule does not exist. | The whitelist protection rule does not exist. Rule ID:%s. |
| 400 | Defense.Control.DefenseWhitelistConfigInvalid | The whitelist rule is misconfigured. | Error configuring whitelist rule: %s. |
| 400 | Defense.Control.DefenseBookTypeInvalid | The address book type is illegal. | The address book type is illegal. |
| 400 | Defense.Control.DefenseThreatIntelligenceConfigInvalid | Threat Intelligence Rule configuration error. | Threat Intelligence Rule configuration error. %s |
| 400 | Defense.Control.DefenseIpCountOversize | The number of IPs exceeds the limit. | The number of IPs exceeds the limit. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.