All Products
Search
Document Center

Web Application Firewall:Configure protection rules for the website tamper-proofing module to prevent web page tampering

Last Updated:Oct 09, 2024

After you add web services to Web Application Firewall (WAF), you can configure protection rules for the website tamper-proofing module to lock the web pages that you want to protect. For example, you can lock web pages that contain sensitive information. When a locked page is requested, a cached version of the page is returned to help prevent web page tampering. This topic describes how to create a protection template of the website tamper-proofing module and add protection rules to the template.

Limits

If you add web services to WAF in hybrid cloud or cloud native mode, the related protected objects do not support the website tamper-proofing module. You can add Microservices Engine (MSE) instances and Function Compute-related domain names to WAF in cloud native mode.

Prerequisites

Step 1: Create a protection template of the website tamper-proofing module

The website tamper-proofing module does not provide default protection templates. Before you can enable a protection rule of the website tamper-proofing module, you must create a protection template of the module and add protection rules to the template.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Website Tamper-proofing section of the Basic Web Protection page, click Create Template.

    Note

    If this is your first time to create a protection template of the website tamper-proofing module, you can also click Configure Now in the Website Tamper-proofing card in the upper part of the Basic Web Protection page.

  4. In the Create Template - Website Tamper-proofing panel, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Template Name

    Specify a name for the template.

    The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Rule Configuration

    Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the website tamper-proofing module.

    Apply To

    Select the protected objects and protected object groups to which you want to apply the template.

    You can apply only one protection template of the website tamper-proofing module to a protected object or a protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

    By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:

    • View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.

    • Turn on or turn off the switch in the Status column to enable or disable the template.

    • Click Edit or Delete in the Actions column to modify or delete the template.

    • Click the 展开图标 icon to the left of the template name to view the protection rules in the template.

Step 2: Add protection rules to a protection template of the website tamper-proofing module

A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, you can skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Website Tamper-proofing section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.

  4. In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Rule Name

    Specify a name for the rule.

    The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Address of Cached Page

    Specify the type and path of the cached page.

    • The type can be http or https.

    • For the path, take note of the following items:

      • The default path of the cached page is www.waftest.cn/index.html. You can change the path.

      • The path cannot contain wildcard characters such as /* or parameters such as xxx=yyy in /abc?xxx=yyy.

        Important

        If the URL of a request includes parameters, the request does not hit a protection rule of the website tamper-proofing module. WAF directly forwards the request to the origin server. For example, the path of the cached page is /abc in a protection rule of the website tamper-proofing module, and the URL of a request is /abc?xxx=yyy. In this case, the request does not hit the protection rule even if the specified path is /abc.

      • The website tamper-proofing module protects text data, HTML pages, and images in the specified directory. The size of a protected file cannot exceed 1 MB.

        Important

        You can specify only a URL. You cannot specify a directory.

    Specify User-Agent to Access

    Specify the User-Agent strings of browsers for clients.

    • If you do not select Specify User-Agent to Access, the User-Agent strings of all desktop browsers are used.

    • If you select Specify User-Agent to Access, you must specify custom User-Agent strings.

      You can open a browser and press the F12 key to open the developer tools. On the Network tab, click the request. In the Request Headers section, find the User-Agent field to obtain the User-Agent string of the browser.

    Note
    • After protection rules are created, the system automatically pulls and caches resources in the WAF. When a protected web page is requested, a cached version of the page is returned to help prevent web page tampering.

    • If you reopen the website tamper-proofing feature or activate the status of protection rules, the system refreshes the cached resources, that is similar to click Refresh Cache to update the cached resources.

    By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:

    • Turn on or turn off the switch in the Status column to enable or disable the rule.

    • Click Edit or Delete in the Actions column to modify or delete the rule.

Related operations

If you want to enable website tamper-proofing for a specific directory on a server, you can use the web tamper proofing feature of Security Center. For more information, see Use the web tamper proofing feature.

The following table describes the differences between the website tamper-proofing module of WAF and the web tamper proofing feature of Security Center.

Item

WAF

Security Center

Implementation

The website tamper-proofing module of WAF allows you to lock web pages that you want to protect. When a locked page is requested, a cached version of the page is returned to help prevent web page tampering.

The web tamper proofing feature of Security Center restores tampered files or directories based on backup files to prevent important website information from being tampered with.

Applicable scope

Website URLs.

Server directories.

References

  • For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.

  • For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.

  • For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.