Dynamic Route for CDN (DCDN) Web Application Firewall (WAF) provides a built-in basic web protection policy that is used as the default policy to defend against common web application attacks. The attacks include SQL injection, cross-site scripting (XSS) attacks, unauthorized code execution, webshells, and command injection. If the built-in basic protection policy cannot meet your requirements, you can configure a custom default protection policy. For example, if you want to specify different protection actions on the requests from different protected objects, configure a custom default protection policy.

Feature description

The system automatically configures the default protection policy for the following domain names:
  • The new protected domain names that are added on the Protected Domain Names page.
  • The domain names that are added to DCDN WAF but are not configured with the policy of the same type. For example, you did not configure a whitelist for the domain name that you added to DCDN WAF. After you configure a default whitelist, the default whitelist is automatically configured for the domain name.
    Note You can associate a protected domain name with only one protection policy of the same policy type. If other policies of the same type are configured for the protected domain name, the domain name is not protected by the default protection policies.
The following table describes the default policy settings for different types of protection policies.
Protection policy type Default policy Recommended configuration
Configure basic web protection A built-in default policy template is provided, and the template contains the basic protection rule set provided by WAF. By default, the default policy template is enabled, and the Block action is specified.
Note The basic web protection rules take effect on all new protected domain names that are added to DCDN WAF. Attack requests are automatically blocked based on basic web protection rules. For more information, see Default rules for basic web protection.
We recommend that you use the default configurations.

After your domain name has been added to DCDN WAF for a period of time, you can configure a whitelist for the basic protection rules if the basic protection rules block legitimate requests. For more information, see Configure a whitelist.

Configure custom protection policies A default policy template is not provided. You can create a custom default policy based on your business requirements.
Configure a whitelist
Configure an IP address blacklist
Configure a region blacklist
Configure the bot management module

Procedure

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose WAF > Protection Policies.
  3. On the Protection Policies page, click Create Policy.
  4. On the Create Policy page, turn on Make Default. For more information, see Overview.
    Note You can specify only one default policy for each type of policy. You cannot change the default policy after you specify a default policy.
    Default policy