When you configure a protection template, you must apply it to a protected object. WAF automatically creates a protected object for each onboarded asset, so manual configuration is typically unnecessary. However, if you have many assets, complex protection rules, or need advanced configurations such as specific decoding, cookies, or custom response headers, you may need to manually configure protected objects or protected object groups. This topic describes how to configure and manage them for fine-grained, efficient security.
Key concepts
-
protected object: When you add a domain name or cloud service instance to WAF, WAF automatically creates a protected object for it. When using a protection template, you must select a protected object as the target.
-
protected object group: You can add multiple protected objects to a protected object group for centralized management. Each protected object can belong to only one protected object group.
Prerequisites
Before you begin, ensure that the following requirements are met:
-
Onboarding requirement: You must have added your web service to WAF, which creates a protected object. If you have not onboarded your service, see Onboarding overview.
-
ICP filing: To add a protected object for a domain name hosted on a server in the Chinese mainland, the domain name must have an ICP filing. For more information, see How do I query the ICP filing information about a domain name?
Add a protected object
When you add a resource to WAF, WAF automatically creates a protected object for it. You typically do not need to add one manually. However, you must manually add a domain name as a protected object in the following scenarios:
-
Cloud service scenario: Multiple domain names resolve to the same cloud service instance, and you need to configure different protection rules for each domain name.
-
Hybrid cloud SDK integration scenario: Multiple domain names resolve to the same cluster instance, and you need to configure different protection rules for each domain name.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
-
On the Protected Objects tab, click Add Protected Object.
-
In the Add Protected Object dialog box, configure the parameters based on the Protected Object Type and click OK.
Cloud Service
Parameter
Description
Domain Name
Enter the domain name that you want to protect. You can enter an exact-match domain name, such as
www.aliyundoc.com, or a wildcard domain name, such as*.aliyundoc.com.-
Wildcard domain name matching rules:
-
A wildcard matches only subdomains at the same level. For example,
*.aliyundoc.commatcheswww.aliyundoc.comandexample.aliyundoc.com, but notwww.example.aliyundoc.com. -
When a wildcard is applied to a second-level domain name such as
*.aliyundoc.com, it also matches the second-level domain name itself,aliyundoc.com. -
When a wildcard is applied to a third-level domain name such as
*.example.aliyundoc.com, it does not match the third-level domain name itself,example.aliyundoc.com.
-
-
Priority rule: If a request matches both an exact and a wildcard domain name, the rules for the exact domain name take precedence.
Cloud Service
Select the cloud service instance type associated with the domain name. Valid values:
-
ALB: Application Load Balancer.
-
CLB4: Classic Load Balancer with a TCP listener.
-
CLB7: Classic Load Balancer with an HTTP/HTTPS listener.
-
ECS: Elastic Compute Service.
-
NLB: Network Load Balancer.
instance
Select the ALB instance ID. This parameter is required only if you set Cloud Service to ALB.
Add to Protected Object Group
You can add the protected object to a protected object group for centralized management of protection rules.
After a protected object is added to a group, you can configure protection rules only for the group. You can no longer configure protection rules for the individual protected object.Resource Group
You can add the protected object to a resource group to simplify resource management and permission configuration. If you have no specific requirements, select Default Resource Group. For more information, see What is a resource group?.
Hybrid Cloud SDK Integration
Parameter
Description
Protected Object Name
Enter a name that is easy to identify.
Domain Name/IP Address
Enter the domain name that you want to protect. You can enter an exact-match domain name, such as
www.aliyundoc.com, or a wildcard domain name, such as*.aliyundoc.com.Note-
Wildcard domain name matching rule: A wildcard domain name can match only subdomains at the same level. For example,
*.aliyundoc.comcan matchwww.aliyundoc.comandexample.aliyundoc.com, but notaliyundoc.comorwww.example.aliyundoc.com. -
Priority rule: If a request matches both an exact-match domain name and a wildcard domain name, the protection rules for the exact-match domain name take precedence.
URL
Enter the URL path that you want to protect.
Add to Protected Object Group
You can add the protected object to a protected object group for centralized management of protection rules.
After a protected object is added to a group, you can configure protection rules only for the group. You can no longer configure protection rules for the individual protected object.Resource Group
You can add the protected object to a resource group to simplify resource management and permission configuration. If you have no specific requirements, select Default Resource Group. For more information, see What is a resource group?.
-
Advanced settings
WAF provides the following advanced settings. To customize the settings of a protected object based on your business requirements and security policies, find the protected object and click Settings in the Actions column.
|
Parameter |
Description |
|
If a Layer 7 proxy such as a CDN is deployed in front of WAF, you must configure the Obtain Actual IP Address of Client. This ensures WAF can obtain the real client IP addresses for security analysis and features such as displaying the Attacker IP Address in Security Reports. |
|
|
When you use protection modules such as HTTP Flood Protection and Scan Protection, or set a rule action to CAPTCHA, WAF adds a tracking and verification cookie to responses. You can configure the cookie's issuance status and Secure attribute to meet security and compatibility requirements. |
|
|
For domain names added in CNAME record mode, you can add custom headers to client responses for security hardening, policy control, or debugging. |
|
|
WAF can parse data in formats such as JSON, XML, and Form, and decode data encoded with Base64 and HTML entities. This enables WAF to detect malicious traffic concealed by multiple layers of encoding or compression. |
|
|
WAF extracts user identity information such as usernames, tokens, and JWT bodies from requests. Modules such as Scan Protection, Bot Management, and Custom Rule then use this information for fine-grained, account-level security control. |
|
|
After a client passes a JavaScript Validation, CAPTCHA, or Token-based Authentication, WAF allows subsequent requests for 1,800 seconds (30 minutes) by default without requiring another challenge. You can set this expiration time from 5 to 1,800 seconds. After this period, the client must pass the challenge again on the next request. |
-
Configure Client IP Address
On the WAF Link Settings tab, configure the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF parameter. For more information, see Obtain real client IP addresses.
NoteFor domain names added in CNAME record mode and for ECS, CLB, and NLB instances that are added as cloud services, you do not need to repeat this configuration if you have already completed it during asset onboarding.
-
Cookie Settings
On the WAF Link Settings tab, configure Tracking Cookie and Slider CAPTCHA Cookie.
-
Tracking Cookie When you use features such as HTTP flood protection and scan protection, WAF issues a cookie named
acw_tcby default to identify and track client access behavior. You can use the Status switch to enable or disable the Tracking Cookie. To issue this cookie only for HTTPS requests, enable the Secure Attribute.Important-
Configuration suggestion: We recommend that you enable the Status switch for the tracking cookie. Otherwise, protection modules such as HTTP flood protection and scan protection may not function properly.
-
Protected object group limitation: For protected objects in a protected object group, the Tracking Cookie is enabled by default. You cannot disable the Tracking Cookie or enable the Secure Attribute for these protected objects.
-
Effective rule: If a request matches multiple protected objects, and the Tracking Cookie or Secure Attribute is enabled for at least one of the protected objects, the feature is enabled for all matched protected objects.
-
-
Slider CAPTCHA Cookie After a user passes a slider challenge, WAF issues a cookie named
acw_sc__v3by default to record the verification. To issue this cookie only for HTTPS requests, enable the Secure Attribute.Important-
Enabling the Secure Attribute for the slider cookie may affect the normal operation of the slider feature on HTTP sites.
-
For protected objects that are in a protected object group, the Secure Attribute is disabled by default and cannot be enabled.
-
-
-
Custom Response Header (CNAME record mode only)
On the WAF Link Settings tab, configure Custom Response Header. You can add up to five headers. If the Header Name of a custom response header is the same as the name of a response header from the origin server, the value of the original header is replaced with the Header Value that you configure here.
-
Decode Settings
Configure the settings on the Decode Settings tab. For more information, see Appendix: Decoding settings.
-
User Identification
Configure the settings on the User Identification tab. You can configure up to five rules for each protected object, ordered by priority.
-
You can extract user identity information from the following locations:
-
Query String
-
Body
-
Cookie
-
Header
-
-
Account format:
-
Plaintext Authentication: For example, email***@qq.com.
-
JWT Authentication: Typically found in a header, a JWT can carry user information. The common format is
Authorization: Bearer {Token}. If the token is a JWT, you must specify the account field in the decoded payload. -
Basic Authentication: Typically found in a header. The common format is
Authorization: Basic {Token}.
-
-
-
Action Validity Settings
On the Action Validity Settings tab, configure the following parameters:
-
JS Challenge TTL: The validity period of the verification result when the Rule Action is JavaScript Validation.
-
Dynamic Token Validity: The validity period of the verification result in Token-based Authentication mode when you use Bot Management to protect web services.
-
CAPTCHA Expiration Time: The validity period of the verification result when the Rule Action is CAPTCHA.
-
Manage protected object groups
To apply the same protection rules to multiple protected objects, use protected object groups for centralized management.
-
In the left-side navigation pane of the WAF console, choose .
-
On the Protected Object Groups tab, click Create.
-
In the Create Protected Object Group dialog box, enter a Protected object group name, select Associate with Protected Object, add Remarks, and then click OK.
Note-
The Available Objects list in the Associate with Protected Object section includes only protected objects that meet the following conditions: they are not part of any protected object group, and they have only the default protection template or no protection template applied.
-
A protected object that is already in a protected object group cannot be added to another group. You must remove it from the original group before you can add it to another one.
-
-
When you create a protection template, you can set Apply To to Protected Object Groups to apply the template to all objects in the group.
Daily operations
Manage protected objects
-
View the protection rules for a protected object: In the Actions column for the target protected object, click View Protection Rule. The Core Web Protection page displays the protection templates (configured protection rules) that are associated with the protected object.
-
Add a protected object to a protected object group: In the Actions column for the target protected object, click
> Add to Protected Object Group. You can also select multiple protected objects and click Add to Protected Object Group below the list. -
View the logs of a protected object: If you have enabled Log Service, you can click
> View Logs in the Actions column for the target protected object. -
Delete a protected object: In the Actions column for the target object, click Delete. You can delete only protected objects that are manually added. To delete automatically generated protected objects, you must Remove the asset.
Manage protected object groups
-
Modify the protected objects in a group: On the Protected Object Groups tab, click Edit in the Actions column for the target group to add or remove protected objects. If a protected object is removed from a group, the default protection template is automatically applied to it.
-
Modify the protection rules for a group: On the Protected Object Groups tab, click Configure Rule in the Actions column for the target group to view and modify the protection template that is associated with the group.
-
Delete a protected object group: On the Protected Object Groups tab, find the group that you want to delete and click Delete in the Actions column.
Quotas and limits
-
Limits on the number of protected objects: The number of protected objects, protected object groups, and protected objects that can be added to a single group varies by WAF edition. For more information, see WAF editions. You can go to the Protected objects page to view the number of available protected objects. If you have used up the quota, you can delete protected objects or upgrade your WAF edition.
-
Reservation rule for protected objects: For subscription WAF instances, WAF reserves quotas for the free domain names included in your WAF edition and for any purchased additional domain names. For example, if you have a subscription WAF Pro instance that includes 5 free domain names and supports 600 protected objects, and you purchase 2 Additional Domains, WAF reserves 7 (5 + 2) protected objects. This leaves you with a quota of 593 (600 - 7) additional protected objects.
-
Configuration limits for protected objects: Microservices Engine (MSE) instances and custom domain names of Function Compute (FC) that are added as cloud services do not support Cookie Settings. FC, MSE, SAE, and APIG instances that are added as cloud services do not support Decode Settings.
Decoding settings
-
When you add an ALB instance as a cloud service, Base64 Decoding is disabled by default. You can enable it based on your business requirements.
-
For hybrid cloud SDK integration, you must upgrade the agent to version 4.1.0 or later for the decoding settings to take effect.
Key-value parsing
-
JSON Data Parsing
-
Description: The JSON parsing module parses and restructures JavaScript Object Notation (JSON) data according to RFC 7159. The module handles JSON syntax including key-value objects, arrays, strings, and numbers. The process includes syntax validation, data type conversion, nested structure processing, and Unicode escape sequence decoding. Standardizing the JSON format improves the ability of WAF rules to detect malicious content in JSON payloads.
-
Example: For the input
{"Hello":"World"}, JSON parsing extracts thekeyasHelloand thevalueasWorld.
-
-
XML Data Parsing
-
Description: The XML parsing module parses and restructures Extensible Markup Language (XML) data according to the XML specification (W3C Recommendation). The module supports comprehensive parsing of XML document structures, including elements, attributes, text content, CDATA sections, and processing instructions. The process includes syntax validation, entity reference resolution, namespace processing, and document structure standardization. Standardizing the XML format improves the ability of WAF rules to detect malicious content in XML payloads.
-
Example: For the input
<Hello attr="desc"><![CDATA[World]]></Hello>, XML parsing extracts thekeyasHello, thevalueasWorld, thekey2asHello.attr, and thevalue2asdesc.
-
-
Form Data Parsing
-
Description: The form parsing module parses and restructures application/x-www-form-urlencoded data according to RFC 1866. The module supports comprehensive parsing of HTML form data, including key-value pairs, array parameters, file upload fields, and nested structures. The process includes URL decoding, character set processing, parameter separator recognition, and data type conversion. Standardizing the form data format improves the ability of WAF rules to detect malicious content in form payloads.
-
Example: For the input
Hello=World, form parsing extracts thekeyasHelloand thevalueasWorld.
-
-
Multipart Data Parsing
-
Description: The multipart parsing module parses and restructures multipart/form-data data according to RFC 2046. The module supports comprehensive parsing of HTTP file uploads and complex form data, including file fields, text fields, boundary delimiters, and nested structures. The process includes boundary detection, field parsing, file content extraction, and encoding conversion. Standardizing the multipart format improves the ability of WAF rules to detect malicious content in file uploads and complex form payloads.
-
Example: For the following input, multipart parsing extracts the
keyasHelloand thevalueasWorld.------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="Hello" World ------WebKitFormBoundary7MA4YWxkTrZu0gW--
-
-
GraphQL Parsing
-
Description: The GraphQL parsing module parses and restructures GraphQL query language data according to the GraphQL specification. The module supports comprehensive parsing of GraphQL queries, variable definitions, arguments, and directives, including field selections, query parameters, variable substitutions, aliases, and nested queries. The process supports URL parameter parsing, JSON payloads, raw GraphQL queries, and the multipart file upload format. Standardizing the GraphQL format improves the ability of WAF rules to detect malicious content in GraphQL payloads.
-
Example: For the input query
HelloWorld{ desc(Hello:"World"){ Hello } }, GraphQL parsing extracts thekeyasHelloand thevalueasWorld.
-
Decoding
-
Base64 Decoding
-
Description: The Base64 decoding engine reverses Base64 encoding as defined in RFC 4648. This module handles the standard Base64 character set (A-Z, a-z, 0-9, +, /) and the padding character (=). The decoding process includes character validation, padding handling, byte alignment, and data integrity checks to ensure the accuracy and reliability of binary data.
-
Example: The input
SGVsbG8gV29scmQhis decoded intoHello World!.
-
-
HTML Entity Decoding
-
Description: The HTML entity decoding engine parses character entity references based on the HTML 5.2 specification (W3C Recommendation). This module supports standardized processing of numeric character references (&#x;) and named character entities (&).
-
Example: The input
Hello World!is decoded intoHello World!.
-
-
PHP Deserialization
-
Description: The PHP deserialization engine reverses the PHP serialize() function. Based on the PHP serialization protocol, this module parses the serialized format syntax, including type identifiers (such as i, s, a, and O), length metadata, and recursive data structures. The process includes type validation, memory safety checks, and object graph reconstruction, supporting full parsing of scalar types, compound types, and object serialization.
-
Example: For the input
payload=O:5:"Hello":1:{s:4:"desc";s:6:"World!";}, PHP deserialization extracts thekeyaspayload.Hello.descand the correspondingvalueasWorld!.
-
-
Java Deserialization
-
Description: Java deserialization reverses ObjectInputStream based on the Java serialization protocol. This module parses the binary format of the Java serialization stream, including class descriptors, field metadata, and object state information. The decoding process follows the JVM serialization specification and supports recursive parsing of complex object graphs.
-
Example: For the input
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAFSGVsbG90AAZXb3JsZCF4, Java deserialization extracts the Java classjava.util.HashMap.
-
-
UTF-7 Decoding
-
Description: The UTF-7 decoding engine converts variable-length character encodings according to RFC 2152. This module processes UTF-7 encoding markers (+/-) and Base64-encoded Unicode character sequences. The algorithm supports Unicode transmission in 7-bit ASCII environments and includes an encoding state machine, character set switching, and legacy protocol compatibility. This makes it suitable for email systems and MIME message transmission scenarios.
-
Example: The input
+/v8 +AEgAZQBsAGwAbwAgAFcAbwByAGwAZAAh-is decoded intoHello World!.
-
-
Unicode Decoding
-
Description: Unicode decoding is a character encoding conversion process based on the Unicode standard (ISO/IEC 10646). This module parses UTF-16 escape sequences, supporting the \uXXXX four-byte hexadecimal notation and the \u{XXXXXX} extended format. The decoding process follows the Unicode 15.0 specification to ensure standardized character encoding.
-
Example: For the input
\u0048\u0065\u006c\u006c\u006f\u0020\u0057\u006f\u0072\u006c\u0064\u0021, the output after Unicode decoding isHello World!.
-
-
URL Decoding
-
Description: URL decoding reverses percent-encoding based on RFC 3986. This mechanism processes the encoding of reserved characters, non-ASCII characters, and special characters in the generic URI syntax. The decoding algorithm follows the application/x-www-form-urlencoded MIME type specification and supports standard parsing of HTTP request parameters.
-
Example: The input
Hello%20World%21is decoded intoHello World!.
-
-
Hex Decoding
-
Description: Hexadecimal decoding converts a hexadecimal string to binary data based on RFC 4648. This module uses big-endian byte order and supports the standard hexadecimal character set (0-9, A-F, a-f). The decoding process includes input validation, character normalization, and byte alignment.
-
Example: The input
\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21is decoded intoHello World!.
-
-
Octal Decoding
-
Description: The octal decoding engine processes character encodings represented by a backslash followed by octal digits, such as
\123. Based on the ASCII table, this module converts octal numbers to their corresponding characters, supports the standard octal range of 0-377 (0-255 in decimal), and can parse octal escape sequences in mixed text in batches. -
Example: The input
\110\145\154\154\157\040\127\157\162\154\144\041is decoded intoHello World!.
-
Decompression
-
Gzip Decompression
-
Description: The Gzip decompression engine operates based on RFC 1952 and uses the DEFLATE algorithm. This module processes the Gzip file format header (magic number 0x1f8b, compression method, and flags), CRC32 checksum, and decompresses compressed data blocks. The algorithm supports stream processing and batch decompression, and includes state machine management, multi-member file processing, and error recovery mechanisms. It is suitable for web transmission, file archiving, and data compression scenarios.
-
Example: For the input binary data
1f 8b 08 00 11 39 00 69 00 ff 01 0c 00 f3 ff 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 a3 1c 29 1c 0c 00 00 00(presented in hexadecimal format for readability), Gzip decompression produces the outputHello World!.
-
Preprocessing
-
Comment Stripping
-
Description: The comment stripping module recognizes and removes comment syntax based on the SQL standard and MySQL extended syntax. This module supports two comment formats defined by the ANSI SQL standard: single-line comments (-- followed by any characters to the end of the line) and multi-line comments (any character sequence enclosed by /* */). It is also compatible with MySQL-specific conditional comment syntax (/*! ... */). The process includes comment marker recognition, nested comment handling, version condition parsing, and syntax boundary validation. By removing comment content, this module improves the detection accuracy of the WAF rule engine for malicious SQL statements and reduces the risk of attackers bypassing rules by using comments.
-
Example: For the input
/*!40101 SET */@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;, comment stripping produces the output SET@OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT ;.
-
-
Whitespace Compression
-
Description: The whitespace compression module normalizes consecutive whitespace characters. This module detects sequences of consecutive whitespace characters in the input string and compresses them into a single space. The process includes unified processing of leading, trailing, and intermediate consecutive whitespaces to ensure text format standardization and consistency.
-
Example: For the input
Hello World!, whitespace compression produces the outputHello World!.
-