Web Application Firewall (WAF)

Alibaba Cloud WAF Benefits

Professional, Stable, and End-to-end Solution to the Major Security Pain Points of Web Applications

Professional: provides Alibaba Cloud-developed rules, AI-based deep learning, and proactive protection rules, and allows you to create custom rules.
Stable: enables multi-line and multi-node disaster recovery and intelligent routing, protects services that have millions of QPS, and enables millisecond-level responses.
Timely: automatically detects and defends against the latest web vulnerabilities, including zero-day vulnerabilities first exposed by Alibaba Cloud, within hours.
Comprehensive: delivers end-to-end protection against vulnerabilities, web attacks, and bot traffic, ensures data and account security, and meets the requirements of security O&M.
Compliant: complies with the requirements of classified protection and PCI DSS, and boosts security compliance construction for enterprises.
Exclusive threat intelligence: provides exclusive network-wide threat intelligence, which is accumulated and updated from the real service scenarios of Alibaba Cloud.

The Only Chinese Vendor That Receives Full Recognition for Web Application Firewalls

Recognized by international authorities:WAF is recognized by Gartner, Forrester, IDC, and Frost & Sullivan.
Recognized by the market: A report of Frost & Sullivan shows that Alibaba Cloud WAF ranks first in the cloud WAF market in Greater China.
Extensive experience: WAF protects core services of Alibaba Cloud and accumulates a large amount of attack and defense experience from Tmall and Taobao Double 11 events over the years.

Multi-scenario Deployment and Flexible Access

Multi-scenario deployment: You can deploy WAF in the cloud or deploy protection clusters in your data centers to meet the requirements of different scenarios, such as public clouds, hybrid clouds, and data centers. Both Alibaba Cloud and third-party clouds are supported. WAF delivers the same protection capabilities for services in the cloud and in data centers.
Flexible access: You can connect Alibaba Cloud SLB, CDN, and ECS to WAF with a few clicks, and quickly configure the DNS records for your services that are deployed in data centers.

Delivers the same protection capabilities for services in the cloud and in data centers
Allows online scaling and provides flexible and stable services

Alibaba Cloud WAF Scenarios

Security Capabilities Required for Migrating Web Applications to the Cloud

Automatically fixes zero-day vulnerabilities on your web applications. You do not need to manually patch and fix the vulnerabilities. WAF prevents your web applications such as websites, HTML5 pages, apps, and mini programs from being attacked and against virus intrusion in an efficient manner. WAF mitigates attacks such as trojans, web tampering, malicious bots, data leaks, and HTTP flood attacks.

Scenarios

Prevents common web attacks, such as SQL injections, XSS attacks, webshell uploads, directory traversals, and backdoors.

Prevents attackers from using zombie servers to launch HTTP flood attacks.

Automatically fixes zero-day vulnerabilities at the earliest opportunity by using virtual patching. This avoids code rewrite, which is difficult and time-consuming.

Proactively discovers APIs of the earlier versions, and APIs that lack the authentication mechanism and throttling policies. This helps reduce data leak risks.

Automatically blocks unauthorized scanning and detection activities.

Related Services

Anti-DDoS

Prevention of Fraud and Promotion Abuse

Business operations may generate volumetric traffic, which affects system availability. In addition, promotion abuses always occur. These all affect and even have negative impacts on the business operations. Alibaba Cloud provides you with a complete solution to handle risks on business operations. The solution is based on years of experience on business operations.

Scenarios

Ensures system stability during business operations and prevents issues such as website freezing and system failures caused by bot traffic.

Prevents promotion abuse and fraud to ensure that real customers benefit from promotions.

Mitigates data crawling and avoids excessive bandwidth fees caused by data crawling.

Related Services

Anti-DDoS

Fraud Detection

Security Center

Hybrid Cloud WAF Solution

Deploys protection clusters in data centers to protect web services that are deployed across public clouds and data centers. Both Alibaba Cloud and third-party clouds are supported. You can use the Alibaba Cloud WAF console to control and perform O&M on the services.

Scenarios

Services that are latency-sensitive, require high availability, and demand zone-disaster recovery, geo-disaster recovery, and centralized protection across multiple network environments.

Web services that cannot be deployed on Alibaba Cloud or protected by WAF.

Web services that are deployed in the private network of the cloud or data centers.

Related Services

Anti-DDoS

Product Updates

2024-12-6 New Features

Traffic Spike Throttling Is Available for Purchase Explore More
2024-11-30 New Zones\Regions

Support for the Singapore Region in Adding CLB, NLB, and ECS Instances to WAF Explore More
2024-11-29 New Features

Support for Configuring Secondary Address in CNAME Record Mode Explore More
2024-10-18 New Features

Supports WAF Protection for NLB Instances Explore More
2024-9-4 New Features

Supports Self-service Downgrade in WAF 2.0 Explore More
2024-9-3 New Features

Optimized the Simple Log Service for WAF Feature in WAF 3.0 Explore More
2024-7-15 New Features

WAF 3.0 Supports Protection Suspension Explore More
2024-6-25 New Features

CAPTCHA Supports Integration with WeChat Mini Programs Explore More
2024-6-13 New Zones\Regions

Cloud Native Mode of WAF 3.0 Is Supported in More Regions Explore More
2024-5-31 New Features

WAF 3.0 Supports IPv4 Full Non-standard Port Forwarding Explore More
2024-4-7 New Features

WAF 3.0 Supports Multi-account Management Explore More
2024-2-2 Pricing Updates

WAF 3.0 Supports Tiered Pricing for Additional QPS Quota Explore More
2024-1-19 New Features

Custom protection rules of pay-as-you-go WAF 3.0 support slider CAPTCHA verification Explore More
2024-1-19 New Features

Scan protection module supports IP address unblocking Explore More
2024-1-15 New Features

Upgraded hybrid cloud log delivery configuration Explore More
2024-1-9 New Features

WAF supports querying causes of blocked requests based on request IDs Explore More
2023-12-15 New Features

WAF Supports Log Storage in a Simple Log Service Project That Resides in a Specific Region Explore More
2023-12-8 New Zones\Regions

Cloud Native Mode of WAF 3.0 Is Supported in More Regions Explore More
2023-10-12 New Features

WAF 3.0 Supports API Security Outside the Chinese Mainland Explore More
2023-8-28 New Features

WAF 3.0 allows users to configure the secure attribute for the tracking cookie and slider CAPTCHA cookie Explore More
2023-7-31 New Features

WAF 3.0 supports canary release custom rules and allows users to specify the validity period of custom rules Explore More
2023-7-31 New Features

WAF 3.0 bot management supports bot traffic analysis, canary release rules, and back-to-origin traffic marking Explore More
2023-7-14 New Features

WAF 3.0 checks DNS resolution status Explore More
2023-5-22 New Features

The semantic analysis engine is supported in the basic protection rule module of WAF 3.0 Explore More
2023-4-14 New Features

The traffic billing protection feature is supported for pay-as-you-go WAF 3.0 instances Explore More
2023-2-7 New Features

The intelligent whitelist feature is supported in WAF 3.0 Explore More
2023-2-3 New Features

Support for specifying the validity period of bot management rules in WAF 3.0 Explore More
2023-1-20 New Features

Support for the basic protection feature of the bot management module in WAF 3.0 Explore More
2023-1-19 New Features

The security report and app protection capabilities of the bot management module are optimized. Explore More
2022-11-17 New Features

Specification downgrade in WAF 3.0 Explore More
2022-10-27 New Features

The burstable QPS (pay-as-you-go) and sandbox features of WAF 3.0 are released Explore More
2022-9-23 New Features

Supports Custom Headers to Record the Actual Ports of Clients Explore More
2022-8-24 New Features

Supports Custom Timeout Period for Back-to-origin Requests Explore More
2022-5-30 New Features

Protection Plans for Major Events Released Explore More
2022-4-18 New Features

Dynamic Token-based Authentication Released for Bot Management in WAF V6.5.2.0 Explore More
2022-1-19 New Features

Supports Intelligent Rule Hosting in WAF V6.4.7.0 Explore More
2021-11-5 New Features

Supports Detection of Abnormal Device Characteristics Based on Anti-crawler Rules for Apps in WAF V6.4.7.0 Explore More
2021-10-22 New Features

Supports Configurations of Alert Rules for Excessive Bandwidth Usage and Excessive QPS in the CloudMonitor Console Explore More
2021-9-18 New Features

WAF V6.4.5.0 supports custom header fields that record the actual IP addresses of clients Explore More
2021-8-12 New Features

Upgraded Log Service for WAF in WAF V6.4.4.0 Explore More
2021-6-2 New Features

Supports the Server-Port Match Condition in Custom Protection Policies in WAF V 6.4.2.0 Explore More
2021-5-11 New Features

Hybrid Cloud WAF of the Exclusive Edition Supports GUI-based Protection Cluster Management in WAF V6.4.0.0 Explore More
2021-5-8 New Features

WAF V6.3.4.0 Supports the Capabilities to Retrieve the Actual IP Addresses of Clients from Custom Header Fields Explore More
2021-4-1 New Features

Supports the Forwarding of Requests to Origin Servers over IPv6 Explore More
2021-3-23 New Features

Supports Threat Event Analysis in WAF V6.3.2.0 Explore More
2021-3-18 New Features

Supports Management of False Positives in WAF V6.3.1.0 Explore More
2021-1-27 New Features

Supports Reporting and Scenario-based Configuration in Bot Management in WAF V6.3.0.0 Explore More
2021-1-15 New Features

Supports Custom Settings of TLS Protocol Versions and Cipher Suites Explore More
2020-11-24 New Features

Supports More than One CNAME for Protection Rules in WAF V5.4.2.0 Explore More
2020-11-19 New Features

IPv6 Support Available for Protection Rules in WAF V5.4.1.0 Explore More
2020-10-19 New Features

Security Report Optimized in WAF V5.2.2.0 Explore More
2020-9-2 Experience Enhancements

Client Type Display Optimized in WAF V5.3.0.0 Explore More
2020-8-13 New Features

Asset Discovery Optimized in WAF V5.3.0.1 Explore More
2020-6-8 New Features

WAF V5.3.0.0 Supports API Security Explore More
2020-6-4 Experience Enhancements

WAF V5.2.2.0 Optimizes the Custom Protection Rule Group. Explore More
2020-5-20 Experience Enhancements

WAF V5.2.1.0 Supports Threshold Tuning for Big Data Deep Learning Engine Explore More
2020-5-18 New Features

WAF V5.2.0.0 Supports Terraform Explore More
2020-4-10 Experience Enhancements

Optimization and Upgrade to Improve User Experience in V5.0.0.1 Explore More
2020-4-2 New Features

Supports Bot Management Explore More
2020-3-10 Experience Enhancements

WAF-V4.6.3.1 Protection Capability Upgrade User Guide Released Explore More
2020-3-4 New Features

WAF-V4.6.3.0 Load Balancing among Multiple WAF Nodes Released Explore More
2020-2-14 Experience Enhancements

WAF-V4.6.2.0 Log Service and User Experience Upgraded Explore More
2020-2-10 New Features

Event Alert Upgraded Explore More
2020-1-15 New Features

Protection Capability and User Experience Upgraded Explore More
2019-12-20 Experience Enhancements

WAF-V4.5.1.1 Exclusive Edition Features Optimized Explore More
2019-11-28 New Features

WAF-V4.5.1.0 Supports Account Security Risk Detection Explore More
2019-10-25 New Features

WAF-V4.5.0.0 Exclusive Edition Released Explore More
2019-10-22 New Features

WAF-V4.4.1.1 Supports URL Profiling for Protected Websites Explore More
2019-10-16 New Features

WAF-V4.4.1.0 Supports Statistics on Website Scanning Protection on the Overview Page Explore More
2019-7-31 New Features

Version 4.3.0.0 Released with Supports for Asset Management Explore More
2019-7-31 New Features

Supports Asset Management Explore More
2019-7-30 New Features

WAF-V4.3.0.0 Supports Management of Cloud Website Assets Explore More
2019-7-18 New Features

Version 4.2.1.0 Released with New Attack Detail Page Explore More
2019-3-19 New Features

Threat Intelligence Released Explore More
2019-3-15 New Features

Transparent Mode Supported Explore More
2019-1-26 Experience Enhancements

SOC Upgraded Explore More
2019-1-3 New Features

Country and Area Blocking Supported Explore More
2018-12-20 New Features

New API Released Explore More
2018-12-13 New Features

Custom Rule Groups Available Explore More
2018-12-12 Experience Enhancements

QPS Chart Optimized Explore More
2018-12-11 Experience Enhancements

Interception Statistics Presentation Optimized Explore More
2018-11-28 Experience Enhancements

Web Application Firewall - Quick Replication of Domain Names to Another Account Explore More
2018-11-28 Experience Enhancements

Web Application Firewall - Accounts that Configure Wildcard Domains Can Authorize Other Accounts to Configure Specific Domains Explore More
2018-11-27 New Features

Web Application Firewall - Security Log Display Error Solved Explore More
2018-11-16 New Features

Web Application Firewall - Supports One Year Storage of Business Logs Explore More
2018-10-1 New Features

Web Application Firewall support for security event alerts Explore More
2018-8-16 Experience Enhancements

Web Application Firewall – The QR code of DingTalk service group is released. Explore More
2018-6-12 New Zones\Regions

Alibaba Cloud Web Application Firewall launches Dubai node Explore More
2018-4-28 Experience Enhancements

Web Application Firewall prompts expired users with a highlighted renewal message at the top of the console page Explore More
2018-4-27 New Features

Precision access control feature enhanced in Web Application Firewall Explore More
2018-4-27 New Features

Web Application Firewall can fix the timeout issues with massive domain names Explore More
2018-4-20 Experience Enhancements

The Web Application Firewall domain name search is optimized Explore More
2018-4-12 Experience Enhancements

The web security log report feature is optimized for Web Application Firewall. Explore More
2018-2-9 New Zones\Regions

Web Application Firewall becomes available in Jakarta Data Center in Indonesia Explore More
2018-2-7 New Features

Web Application Firewall (WAF) enhances the accuracy of IP search in all logs Explore More
2018-1-30 New Features

Web Application Firewall supports download of all logs. Explore More
2018-1-19 New Zones\Regions

Web Application Firewall available in data centers in India Explore More
2017-12-28 New Features

WAF supports more non-standard ports Explore More
2017-12-28 New Features

Non-standard ports added for Web Application Firewall Explore More
2017-12-22 Experience Enhancements

Optimization for the first connected domain names to the Web Application Firewall Explore More

More updates >

Alibaba Cloud WAF Customers

"Most of the China Digital Strategy is built and operated on Alibaba Cloud. Against this backdrop, Shiseido uses extensive services provided by Alibaba Cloud to meet the requirements of the new market. Furthermore, with the increasing focus on security recently, we have been working closely with Alibaba Cloud to comply with security standards."

Keisuke Fujii, ICT Vice President, SHISEIDO China

Shiseido uses Alibaba Cloud’s reliable and high-performance elastic computing services and Web Application Firewall (WAF) to adapt to the requirements of the new market and comply with security standards.

Learn More Watch Video

"We need Alibaba Cloud to continue to give us the support and assistance in fixing our issues."

Strikingly is an online platform for building websites and a graduate from the Y Combinator seed accelerator. Strikingly allows users - with little or no development experience - to create mobile optimized websites within minutes. The company takes a mobile-first approach, allowing users to create websites that are enhanced for viewing across all devices including desktops, tablets, and smartphones.

Learn More

“One of the things we have found working with Alibaba Cloud is that they are extremely transparent and this has built a lot of trust."

DataVisor is the leading fraud detection solution utilizing unsupervised machine learning to identify fraudulent transactions, spam and abuse, identity theft, application fraud, insider abuse, money laundering and more.

Learn More

"Dubai Parks and Resorts is the Middle East’s largest integrated leisure and theme park destination located in Dubai. They use Alibaba Cloud so that they can handle seasonal traffic."

Dubai Parks and Resorts is the Middle East’s largest integrated leisure and theme park destination located in Dubai. Spread over 25 million square feet, it features more than 100 rides and attractions, and consists of three theme parks: MOTIONGATE™ Dubai, Bollywood Parks™ Dubai and LEGOLAND Dubai, and one water park: LEGOLAND Water Park.

Learn More