This topic describes the website protection features supported by Web Application Firewall (WAF).
Module | Feature | Description | Enabling method | Reference |
Web Security | Protection rules engine | This feature protects your websites against common web attacks based on built-in protection rules. The common web attacks include SQL injection, cross-site scripting (XSS) attacks, webshells, command injection, backdoor isolation, invalid file requests, path traversal, and exploitation of common vulnerabilities. | The feature is enabled by default after you add a domain name. | |
Protection rule group | The feature allows you to combine protection rules to create a custom rule group and apply the group to specific websites based on your business requirements. Note You can create a custom rule group for only the protection rules engine. | You must enable this feature after you add a domain name. | Customize protection rule groups Best practices for using custom rule groups to provide enhanced protection | |
Website tamper-proofing | The feature helps you lock specific web pages, such as those that contain sensitive information. When a locked web page is requested, the page cached in WAF is returned. This prevents the tampering of the web pages. | You must enable this feature after you add a domain name. | ||
Data leakage prevention | The feature filters content, such as abnormal pages and keywords, returned from the servers to websites and masks sensitive information, such as identity card numbers, bank card numbers, phone numbers, and sensitive words. WAF then returns masked information or default error pages to visitors. | You must enable this feature after you add a domain name. | ||
Positive security model | The feature uses Alibaba Cloud machine learning algorithms to automatically analyze the normal network traffic of a website. It then generates security protection policies tailored for the website based on the collected data. | You must enable this feature after you add a domain name. | ||
Bot Management | Allowed crawlers | The feature maintains a whitelist of allowed search engines, such as Google, Bing, Baidu, Sogou and Yandex. The crawlers of these search engines are allowed to access specified domain names. | You must enable this feature after you add a domain name. | |
Bot threat intelligence | The feature provides information about suspicious IP addresses of dialers, on-premises data centers, and malicious scanners based on the powerful computing capabilities of Alibaba Cloud. This feature also maintains a dynamic IP library of malicious crawlers and prevents crawlers from accessing your websites or specific directories. | You must enable this feature after you add a domain name. | ||
Data risk control | The feature protects crucial website services, such as registrations, logons, campaigns, and forums, against fraud. | You must enable this feature after you add a domain name. | ||
Application protection | The feature provides secure connections and anti-bot protection for native applications. This feature also identifies proxies, emulators, and requests with invalid signatures. | You must enable this feature after you add a domain name. | ||
Access Control/Throttling | HTTP flood protection | This feature helps you defend against HTTP flood attacks and provides protection policies in different modes. | The feature is enabled by default after you add a domain name. | |
IP address blacklist | The feature blocks access requests from specified IP addresses, CIDR blocks, and IP addresses in specified regions. | You must enable this feature after you add a domain name. | ||
Scan protection | The feature automatically blocks access requests that have specific characteristics. For example, if the source IP address of requests initiates multiple web attacks or targeted directory traversal attacks in a short period of time, WAF automatically blocks the requests. Source IP addresses are also blocked if they are from common scan tools or the Alibaba Cloud malicious IP library. | You must enable this feature after you add a domain name. | ||
Custom protection policies | The feature allows you to customize access control rules and configure rate limiting based on precise match conditions. | You must enable this feature after you add a domain name. | ||
Protection Lab | Account security | The feature allows you to monitor user authentication-related interfaces, such as the endpoints used for registration and logon, and to detect events that may pose a threat to user credentials. These threats include credential stuffing, brute-force attacks, spam registration, weak password sniffing, and SMS flood attacks. | You must enable this feature after you add a domain name. | |
Whitelists | Website whitelist | After you configure a rule, requests that match the rule bypass all protection features and are directly forwarded to origin servers. | You must enable this feature after you add a domain name. | |
Web intrusion prevention whitelist | After you configure a rule, requests that match the rule bypass specified protection features, such as the protection rules engine feature. | You must enable this feature after you add a domain name. | ||
Data security whitelist | After you configure a rule, requests that match the rule bypass specified protection features, such as website tamper-proofing, data leakage prevention, and account security. | You must enable this feature after you add a domain name. | ||
Bot management whitelist | After you configure a rule, requests that match the rule bypass specified protection features, such as bot threat intelligence, data risk control, intelligent algorithm, and application protection. | You must enable this feature after you add a domain name. | ||
Access control and throttling whitelist | After you configure a rule, requests that match the rule bypass specified protection features, such as HTTP flood protection, IP address blacklist, scan protection, and custom protection policy. | You must enable this feature after you add a domain name. |
Disable WAF protection
If you want to disable WAF protection, choose Asset Center > Website Access and turn off WAF Protection in the WAF 2.0 console.
After you disable WAF protection, the traffic to the websites that are originally protected by WAF bypasses the protection engine of WAF, and WAF stops logging monitored and blocked requests. If you perform operations such as emergency tests that require WAF protection to be temporarily disabled, we recommend that you go to the Protected Objects page of the WAF 3.0 console and enable WAF protection again after the operations are complete to resume logging monitored and blocked requests. This helps reduce the potential exposure of your assets. If you disable WAF protection or specific features and configure the API security module, the relevant detection process is not stopped.
If you use a pay-as-you-go WAF instance and disable WAF protection for a short period of time, you are still charged feature fees and basic request fees during the period. If you enable the API security module, you are also charged traffic fees for the API security module. The billing for bot management, risk identification, and custom rules is suspended.
Disabling WAF protection for Microservices Engine (MSE) and Function Compute that are added to WAF is not supported. If you want to disable WAF protection for websites that are deployed in a hybrid cloud, the configuration applies only when the version of the hybrid cloud meets specific conditions. For more information, contact your business manager or choose Tickets to submit a ticket for consultation. Alibaba Cloud technical support will provide you with specific version information.