This topic describes the product features and documentation updates for Web Application Firewall (WAF).
2025
Date | Feature update | Release Notes | References |
2025-12-26 | The threat intelligence module is released. | The threat intelligence module uses multi-dimensional threat data from Alibaba Cloud's global network. It automatically identifies and handles malicious IP addresses to build a proactive defense system. This improves your business security before attacks occur. | Set threat intelligence rules to proactively defend against malicious IP addresses |
2025-12-16 | WAF supports the IP address book feature. | The IP address book feature lets you create reusable collections of IP addresses and associate them with multiple protection rules. When an IP address changes, you only need to update it in the address book. All rules that reference the address book are automatically synchronized. | |
2025-10-14 | The Secu calculator is released for the pay-as-you-go edition of WAF. | It helps users estimate the budget for the pay-as-you-go edition of WAF. | |
2025-10-10 | New capabilities are released for AI application protection. |
| |
2025-08-15 | New capabilities are released for bot management. |
| |
2025-05-09 | Prompt attack detection is enabled in WAF and supports custom block pages. | LLM services are protected by WAF. This feature detects and blocks prompt injection and prompt jailbreak attacks in WAF. Currently, AI application protection is available only for protected objects that use CNAME records, Server Load Balancer (CLB), Network Load Balancer (NLB), and ECS instances. | |
2025-04-09 | The new Overview and Security Reports pages are released in the console. | The interaction pages for Overview and Security Reports are redesigned. New features and top N charts are added. | |
2025-02-25 | WAF 3.0 releases the Harmony application integration SDK. | You can integrate the SDK into your application to configure scenario-specific app anti-crawler rules in the bot management section of the WAF console. |
2024
Date | Feature update | Release Notes | References |
2024-11-07 | New version of core web protection rules for WAF 3.0. | You can more easily protect your web services by managing DPI engine configurations and rule libraries. | |
2024-11-06 | Peak traffic throttling feature for WAF 3.0. | You can configure custom rules, QPS throttling, and percentage-based throttling to protect your web services. | |
2024-03-27 | Multi-account management for enterprise customers. | You can purchase one WAF instance to protect cloud resources under other Alibaba Cloud accounts in a centralized manner. | |
2024-01-16 | Block query. | On the Block Query page, you can query block details by request ID. | |
2024-01-15 | Upgrade for hybrid cloud log shipping configurations. | Hybrid cloud logs can be shipped to Kafka. You can set different Kafka and syslog log shipping configurations for different clusters. |
2023
Date | Feature update | Release Notes | References |
2023-10-12 | WAF 3.0 supports API security in regions outside the Chinese mainland. | The API security feature is available in regions outside the Chinese mainland. | |
2023-09-21 | API security in WAF 3.0 now supports compliance and source tracing audits. | The API security feature in WAF 3.0 now supports auditing and tracing of outbound data for compliance and source tracing purposes. | |
2023-08-28 | WAF 3.0 supports cookie attribute settings. | You can now configure cookie attributes for protected objects in WAF 3.0. | |
2023-08-20 | WAF 3.0 supports IPv6 access. | You can now enable IPv6 in WAF 3.0 to protect IPv6 service traffic. | |
2023-08-10 | TLS customization and default certificate configuration are now available for VIPs. | You can now customize SSL certificates and TLS policies for IPv4 VIPs in WAF. | How do I set a default SSL or TLS policy to make a VIP compliant? |
2023-08-01 | New features are available: back-to-origin tagging, grayscale rule release, and bot traffic analysis. |
| |
2023-07-14 | The DNS status check feature for domain names is now available. | WAF 3.0 can check the DNS status of your domain names to quickly identify at-risk domains with abnormal DNS resolution. This helps prevent disruptions to your website services. | |
2023-06-21 | The domain name ownership verification feature is now available. | When you add a domain name for the first time, you must verify ownership of the primary domain name. After a successful verification, you do not need to repeat the process when adding other domain names under the same primary domain name. | |
2023-06-10 | WAF 3.0 supports SM-based HTTPS encryption. | When you select the HTTPS protocol, you can enable Enable SM-based HTTPS and Allow Access Only from SM Certificate-based Clients. | |
2023-05-30 | The API security feature is updated. | You can now create custom policies for different types of sensitive data. | |
2023-05-22 | Semantic protection is added to core web protection rules. | The new semantic protection feature defends against SQL injection attacks and includes an option to detect non-injection attacks. | |
2023-05-18 | The downgrade feature is updated. |
| |
2023-04-28 | Cloud service integration for CLB and ECS now supports adding domain-level protected objects. | You can manually add a domain name from a CLB or ECS instance as a protected object. | |
2023-04-14 | The traffic billing protection feature is now available. | After you enable traffic billing protection, if the peak queries per second (QPS) of a pay-as-you-go instance exceeds the specified threshold within an hour, the instance enters a sandbox. The traffic and feature fees for that hour are waived. This feature helps prevent high bills caused by QPS bursts. | |
2023-03-03 | The API security feature is updated. |
| |
2023-02-24 | Major event support and hybrid cloud protection node specifications are updated for the Basic, Pro, Enterprise, and Ultimate subscription plans. |
| |
2023-02-08 | New features are available: intelligent whitelist, false positive suppression, and loose and strict rule groups. |
| |
2023-02-08 | WAF 3.0 supports one-click integration with Function Compute. | WAF integrates with the cloud-native architecture of Function Compute using a Software Development Kit (SDK) module. This lets you enable security protection for custom domain names that are bound to web applications in Function Compute. WAF identifies malicious characteristics in the service traffic of applications or functions and forwards only normal and secure traffic to backend functions. This prevents malicious intrusions. | |
2023-01-19 | WAF 3.0 supports resource groups and tag management. | WAF integrates with Alibaba Cloud Resource Management. You can use Resource Group and Tag to group resources under your account and isolate permissions. | |
2023-01-17 | The bot management feature is updated. |
|
2022
Date | Feature update | Release Notes | References |
2022-12-22 | WAF 3.0 now supports the API security feature in the Chinese mainland. | This feature automatically discovers API assets of services protected by WAF. It detects API risks, such as unauthorized access, excessive exposure of sensitive data, and internal API leaks. It also provides reports on API anomalies, detailed suggestions for handling risks, and reference data for API lifecycle management. This helps you implement comprehensive API security protection. | |
2022-11-29 | Retry and persistent connection configuration for CNAME access is now available. | You can now configure retry attempts and persistent back-to-origin connections when you add a domain name using a CNAME record. | |
2022-11-28 | Simple Log Service for WAF 3.0 now supports logging of custom request headers, request bodies, response headers, and response bodies. | The request_body, request_header, response_header, and response_info fields are added to enable logging of custom request headers, request bodies, response headers, and response bodies. | |
2022-11-25 | The log storage capacity alerting feature is now available for WAF 3.0. | When your log storage usage exceeds 80%, you will receive text messages and emails reminding you to upgrade your storage capacity. This helps prevent new log data from failing to be written to the dedicated logstore and ensures log data integrity. | |
2022-11-24 | WAF 3.0 supports the subscription billing method. | This billing method lets you pay for resources before you use them. | |
2022-11-23 | You can now add Layer 4 or Layer 7 CLB instances and ECS instances to WAF 3.0. | You can add traffic redirection ports to direct traffic from Layer 4 or Layer 7 CLB instances and ECS instances to WAF for security protection. | |
2022-11-17 | WAF 3.0 supports the self-service downgrade feature. | You can downgrade extra QPS, pay-as-you-go QPS for bursting, extra domain names, and log storage capacity as needed. | |
2022-10-30 | The WAF 3.0 OpenAPI is now available. | API operations are available for common configuration tasks in the console, which lets you perform batch operations. | |
2022-10-27 | The pay-as-you-go for bursting and sandbox features are now available for WAF 3.0. | If your service traffic increases for a short period or unexpectedly due to events such as sales promotions, and the actual QPS usage exceeds the sum of the QPS included in your plan and any extra QPS, you can enable pay-as-you-go for bursting. This feature bills you for the excess QPS on a pay-as-you-go basis. This prevents your instance from entering the sandbox due to excessive QPS usage, which could disrupt your services. | |
2022-10-19 | The monitoring and alerting feature is now available for WAF 3.0. | You can configure alerts to receive notifications from WAF when it detects attack events or unusual traffic in your website requests. This helps you stay informed about the security status of your services. | |
2022-09-23 | WAF 3.0 supports using a custom header to obtain the originating port of the client. | In the WAF 3.0 access configuration, you can enable "Traffic Mark" and select "Originating port of the client". By configuring the header field that contains the actual client source port, you can allow WAF 3.0 to record this header and pass it to the origin server. | |
2022-08-24 | WAF 3.0 supports custom back-to-origin timeout configuration. | In the WAF 3.0 access configuration, you can customize the connection, read, and write timeout periods. This lets you flexibly adjust these settings to meet your business requirements. | |
2022-08-12 | The WAF 3.0 and MSE integration feature is now available. | If your web service uses Alibaba Cloud Microservices Engine (MSE), you can integrate MSE with WAF to direct your web service traffic to WAF 3.0 for security protection. | Enable WAF protection for an MSE cloud-native gateway instance |
2022-07-22 | The data leak prevention feature is now available for WAF 3.0. | The data leak prevention feature filters sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words, from the content returned by the server. It can mask the sensitive information or return a default abnormal response page. | Configure data leak prevention rules to prevent sensitive information leaks |
2022-07-22 | The web tamper proofing feature is now available for WAF 3.0. | The web tamper proofing feature locks website pages that require protection, such as sensitive pages. When a request is received for a locked page, the configured cached page is returned. This prevents malicious tampering of the origin page content. | Configure web tamper proofing rules to prevent web pages from being tampered with |
2022-07-20 | The subscription billing method is now available for WAF 3.0. | WAF 3.0 now supports a subscription billing method that lets you pay for resources before you use them. With a subscription, you can reserve resources in advance and enjoy lower prices to help you save on costs. | |
2022-07-14 | The Asset Center feature is now available for WAF 3.0. | The Asset Center module helps you manage your on-premises and cloud domain name assets. It assesses risk levels based on the attack landscape of your assets, helping you understand the overall protection status of your services. | |
2022-06-23 | The bot management feature is now available for WAF 3.0. | This feature supports scenario-specific rules for web and app anti-crawling. By configuring these rules, you can more effectively protect your services against crawler risks. | |
2022-05-30 | The major event support feature is now available for WAF 3.0. | This feature provides a major event protection rule group, massive IP address blocking, collaborative defense, and cookie security capabilities. It offers a high level of protection for customers in intense attack and defense scenarios. | |
2022-04-21 | The HTTP flood protection feature is now available for WAF 3.0. | The HTTP flood protection feature blocks HTTP flood attacks that target page requests. After an attack is blocked, a 405 error page is returned. | Configure HTTP flood protection rules to defend against HTTP flood attacks |
2022-04-21 | The Geo-blocking feature is now available for WAF 3.0. | The Geo-blocking feature identifies the source region of client access requests. It lets you block access from specific regions or allow access only from specific regions with a single click. This helps address frequent malicious requests from certain areas. | Configure Geo-blocking rules to block requests from specific regions |
2022-01-22 | WAF 3.0 is released. | WAF 3.0 supports CNAME access similar to WAF 2.0 and also integrates with cloud products such as Application Load Balancer (ALB) in a cloud-native architecture. It supports cloud service integration and features a redesigned console for protection configuration. This provides higher O&M efficiency, a smoother user experience, and more capabilities. | Announcement on the release of WAF 3.0 and the discontinuation of new WAF 2.0 purchases |