This page tracks feature releases and documentation updates for Web Application Firewall (WAF) 3.0. Entries are listed in reverse chronological order by release date. Each entry links to the relevant reference documentation when available.
For more WAF updates, see Product Updates.
2025
Date | Feature | Description | Documentation |
2025-12-26 | Identifies and blocks malicious IP addresses using multi-dimensional threat data from Alibaba Cloud's global network. Creates a proactive defense layer before attacks reach your services. | Set threat intelligence rules to defend against malicious IP addresses | |
2025-12-16 | Create reusable IP address collections and attach them to multiple protection rules. When an IP address changes, update it once in the address book — all referencing rules sync automatically. | ||
2025-10-14 | Secu calculator | Estimate the budget for the pay-as-you-go edition of WAF before you commit. | — |
2025-10-10 | Two new capabilities for Large Language Model (LLM) application protection: Redact and Recall actions for streaming responses prevent LLMs from generating unintended content. Content Moderation integration lets you enable or disable individual check items and configure real-time actions against non-compliant content. | ||
2025-08-15 | Improvements across three areas: Default protection detects bots based on traffic fingerprints, Web SDK probes, IDCs outside China, and access behaviors. Advanced custom rules support JA3/JA4 fingerprints, keyboard, mouse, and touch inputs and clicks, and advanced HTTP flood protection. Console lets you view and configure rules by bot category — malicious, suspicious, and friendly. | ||
2025-05-09 | Detects and blocks prompt injection and prompt jailbreak attacks against LLM services. Supports custom block pages. Available for protected objects using CNAME records, Classic Load Balancer (CLB), Network Load Balancer (NLB), and ECS instances. | ||
2025-04-09 | Redesigned Overview and Security Reports pages with new features and top N charts. | ||
2025-02-25 | Integrate the SDK into your HarmonyOS application to configure scenario-specific app anti-crawler rules in the WAF console. |
2023
Date | Feature | Description | Documentation |
2023-10-12 | API security is now available in regions outside the Chinese mainland. | ||
2023-09-21 | Audit and trace outbound data for compliance and source tracing. | ||
2023-08-28 | Configure cookie attributes for protected objects. | ||
2023-08-20 | Enable IPv6 in WAF 3.0 to protect IPv6 service traffic. | ||
2023-08-10 | Customize SSL certificates and TLS policies for IPv4 virtual IP addresses (VIPs). | How do I set a default SSL or TLS policy to make a VIP compliant? | |
2023-08-01 | Bot management and grayscale release updates | Three additions to bot management: bot traffic analysis, back-to-origin tagging actions for detected bot behaviors, and grayscale rule release with configurable effectiveness ratios per dimension. Grayscale release is also now supported for custom rules. | |
2023-07-14 | WAF 3.0 checks the DNS status of domain names and flags those with abnormal DNS resolution, helping identify at-risk domains before they cause service disruptions. | Use a CNAME record to enable WAF protection for a website · Change the DNS record of a domain name (WAF 3.0) | |
2023-06-21 | Verify ownership of a primary domain name once. Subsequent domain names under the same primary domain skip re-verification. | ||
2023-06-10 | When selecting the HTTPS protocol, enable Enable SM-based HTTPS and optionally restrict access to SM certificate-based clients only with Allow Access Only from SM Certificate-based Clients. | ||
2023-05-30 | Create custom policies for different types of sensitive data in API security. | ||
2023-05-22 | New semantic protection capability in core web protection rules. Defends against SQL injection attacks, with an option to detect non-injection attacks. | ||
2023-05-18 | Two new downgrade options: decrease the quota for exclusive IP addresses, and downgrade your instance to disable Bot Management-Web Protection, Bot Management-App Protection, or API Security. | ||
2023-04-28 | Manually add a domain name from a CLB or ECS instance as a protected object. | ||
2023-04-14 | For pay-as-you-go instances: if peak QPS exceeds the specified threshold within an hour, the instance enters a sandbox and the traffic and feature fees for that hour are waived. Prevents unexpectedly high bills from QPS bursts. | ||
2023-03-31 | A self-service upgrade tool is released. | WAF provides a self-service tool in the console to upgrade WAF 2.0 instances to WAF 3.0. | |
2023-03-03 | Pay-as-you-go instances now support API security. Custom policies are also now available. | ||
2023-02-24 | Edition updates — major event support and hybrid cloud nodes | Major event support: Enabled by default in the Ultimate edition. Available in the Pro and Enterprise editions with a temporary daily upgrade (minimum 30-day subscription). Not supported in the Basic edition. Hybrid cloud access: Included by default in the Enterprise and Ultimate editions (one node each). Adding one extra node grants 100 additional domain names; two or more extra nodes grant 200 additional domain names. Not available for the Basic and Pro editions by default — upgrade to Enterprise or Ultimate to enable. | |
2023-02-08 | Intelligent whitelist, false positive suppression, and loose/strict rule groups | Three additions to reduce false positives: an AI-based intelligent whitelist that learns from historical traffic and automatically excludes inapplicable rules at the URL level; loose and strict rule groups added to built-in rule groups; and false positive suppression to whitelist triggering IP addresses for core web protection rules with a single click. | Core web protection rules and rule groups · Whitelists · Security reports |
2023-02-08 | Integrate WAF with Function Compute via an SDK module. WAF inspects traffic to custom domain names bound to Function Compute web applications and forwards only clean traffic to backend functions. | ||
2023-01-31 | WAF 3.0 subscription instances support self-service unsubscription. | You can unsubscribe from WAF 3.0 subscription instances in the console. | |
2023-01-19 | WAF integrates with Alibaba Cloud Resource Management. Use Resource Group and Tag to organize resources and isolate permissions across your account. | CNAME access · Hybrid cloud reverse proxy access · Enable WAF protection for a CLB instance · Enable WAF protection for an ECS instance | |
2023-01-17 | Protection updates: One-click basic protection against low- and medium-risk bot traffic. Scenario-specific app protection now supports slider and strict slider verification, intelligent protection, and threat intelligence. Scheduled effective times for web and app protection scenarios. Reporting: Redesigned security reports with an attack details list for improved source tracing. |
2022
Date | Feature | Description | Documentation |
2022-11-29 | Configure retry attempts and persistent back-to-origin connections when adding a domain name in CNAME record mode. | ||
2022-11-28 | Four new fields added to WAF logs: | ||
2022-11-25 | WAF sends SMS and email alerts when log storage usage exceeds 80%, giving you time to expand capacity before new log data is dropped. | ||
2022-11-23 | Add traffic redirection ports to direct traffic from Layer 4 or Layer 7 CLB instances and ECS instances to WAF for security inspection. | Enable WAF protection for a CLB instance · Enable WAF protection for a Layer 4 CLB (TCP) instance · Enable WAF protection for an ECS instance | |
2022-11-17 | Downgrade extra QPS, burstable QPS, extra domain names, and log storage capacity on demand. | ||
2022-11-14 | The WAF 3.0 API security feature is released. | This feature automatically discovers API assets of services protected by WAF. It detects API risks, such as unauthorized access, excessive exposure of sensitive data, and internal API operation leaks. It also reports on anomalous API activities and provides detailed risk handling suggestions and reference data for API lifecycle management to help you implement comprehensive API security protection. | |
2022-10-30 | WAF 3.0 OpenAPI is now available. Automate and batch common console configuration tasks through API operations. | ||
2022-10-27 | Enable burstable QPS to handle short-term traffic spikes such as sales promotions. When actual QPS exceeds your plan's included QPS plus any extra QPS, the excess is billed on a pay-as-you-go basis — keeping your instance out of the sandbox during unexpected surges. | ||
2022-10-19 | Configure alerts to receive notifications when WAF detects attack events or unusual traffic patterns. | ||
2022-09-23 | Enable Traffic Mark in the access configuration and select Originating port of the client. WAF records the specified header containing the actual client source port and passes it to the origin server. | ||
2022-08-24 | Customize connection, read, and write timeout periods in the WAF access configuration to match your application's requirements. | ||
2022-08-12 | If your web services run on Alibaba Cloud Microservices Engine (MSE), integrate MSE with WAF to route traffic through WAF 3.0 for security protection. | Enable WAF protection for an MSE cloud-native gateway instance | |
2022-07-22 | Filter sensitive information from server responses — including ID card numbers, phone numbers, bank card numbers, and sensitive words. Mask the data or return a default error page. | ||
2022-07-22 | Lock sensitive website pages. When a request arrives for a locked page, WAF returns a cached version instead of the origin content, preventing malicious tampering. | ||
2022-07-20 | WAF 3.0 supports a subscription billing method that lets you pay for resources before you use them. Reserve resources in advance and enjoy lower prices to help save on costs. | ||
2022-07-14 | Manage on-premises and cloud domain name assets from a single view. Asset Center assesses risk levels based on the attack landscape of each asset, giving you a clear picture of your overall protection status. | ||
2022-06-23 | Configure scenario-specific rules for web and app anti-crawling to protect against crawler risks. | Configure scenario-specific web anti-crawler rules · Configure scenario-specific app anti-crawler rules | |
2022-05-30 | Purpose-built for high-intensity attack scenarios. Includes a major event protection rule group, massive IP address blocking, collaborative defense, and cookie security capabilities. | ||
2022-04-21 | Block HTTP flood attacks targeting page requests. Blocked requests receive a 405 error response. | ||
2022-04-21 | Block access from specific regions or allow access only from specific regions with a single click. Effective for addressing high volumes of malicious requests from particular areas. | ||
2022-01-22 | WAF 3.0 supports CNAME access (compatible with WAF 2.0) and cloud-native integration with Application Load Balancer (ALB) and other cloud services. Features a redesigned console for protection configuration with improved operations efficiency and an expanded capability set. |