Configure data leakage prevention rules - Web Application Firewall

Data leakage prevention rules inspect server responses and act on sensitive data before it reaches the client. WAF can mask detected information in responses or return a default error response page when specific HTTP error status codes are returned.

Note

This feature only supports data formats used in the Chinese mainland, such as ID card numbers, mobile phone numbers, and credit card numbers. Data formats from other regions are not supported.

What WAF can detect

WAF matches sensitive data against two categories:

Category	Detectable values	Available actions
Sensitive Info	ID card numbers, credit card numbers, mobile phone numbers, default sensitive words	Monitor (log only), Mask (replace parts of the sensitive information with asterisks)
Status Code	400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405–499, 505–599	Monitor (log only), Block (block request and return block page)

Important

Blocking is only available for Status Code rules. Sensitive Info rules support masking or monitoring only. Masking replaces parts of the sensitive information with asterisks (*) without blocking the request — the response is still returned to the client.

Limitations

Protected objects in cloud native mode (ALB, MSE, FC) do not support this feature.

Prerequisites

Before you begin, ensure that you have:

A WAF 3.0 instance. For more information, see Activate a pay-as-you-go WAF 3.0 instance
Web services added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups

Step 1: Create a data leakage prevention template

Data leakage prevention has no default protection template. To activate the feature, create a template and attach it to your protected objects.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Data Leakage Prevention section, click Create Template.

In the Create Template - Data Leakage Prevention panel, configure the following parameters and click OK.

Parameter	Description
Template Name	A name for the template. Must be 1–255 characters and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration	(Optional) Click Create Rule to add a rule now. You can also skip this and add rules after the template is created. For details, see Step 2: Add a data leakage prevention rule to a template.
Apply To	Select the protected objects and protected object groups to which the template applies. Each protected object or group can be associated with only one template per protection module.

The template is enabled by default. In the template list, you can:

View associated protected objects and groups in the Protected Object/Group column.
Toggle the switch in the Status column to enable or disable the template.
Click Create Rule, Edit, Delete, or Copy in the Actions column to manage the template.
Click the icon to the left of the template name to expand and view its protection rules.

Step 2: Add a data leakage prevention rule to a template

A template takes effect only after it has at least one protection rule. Skip this step if you added rules during template creation.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Data Leakage Prevention section, find the template, expand it, and click Create Rule in the Actions column.

In the Create Rule dialog box, configure the following parameters and click OK.

Parameter	Description
Rule Name	A name for the rule. Can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition	The type of sensitive data to detect. Select one or more values from Status Code (400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405–499, 505–599) or Sensitive Info (ID Card Numbers, Credit Card Number, Mobile Phone Number, Default Sensitive Words). To target a specific page, select AND and specify a URL.
Action	The action to take when a match is detected. For Status Code rules: Monitor (log only) or Block (block the request and return a block page). For Sensitive Info rules: Monitor (log only) or Mask (replace parts of the sensitive information with asterisks (*) without blocking the request).

The rule is enabled by default. In the rule list, you can view the rule ID and action, toggle the Status switch to enable or disable the rule, and click Edit or Delete to manage it.

What's next

View protection events on the Data Leakage Prevention tab of the Security Reports page. For more information, see Security reports.

References

Overview of mitigation settings — Learn about the protected objects, protection modules, and protection process in WAF 3.0.
Create a protection template — Create a template using the API.
Create a Web core protection rule — Create and configure rules using the API.