After you add a website to Web Application Firewall (WAF), you can configure the data leakage prevention feature for the website. The data leakage prevention feature filters content, such as abnormal pages and keywords that are returned from servers, and masks sensitive information such as ID card numbers, mobile phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages.
The data leakage prevention feature can process only data in the formats that are used in the Chinese mainland, such as ID card numbers, mobile phone numbers, and bank card numbers.
Prerequisites
A WAF instance that meets the following requirements is purchased:
If the WAF instance is deployed in the Chinese Mainland, the edition of the instance must be Pro Edition or higher.
If the WAF instance is deployed outside the Chinese Mainland, the edition of the instance must be Business Edition or higher.
Your website is added to WAF. For more information, see Tutorial.
Background information
WAF supports the data leakage prevention feature to comply with the following regulations required by the Cybersecurity Law of the People's Republic of China: Network operators shall adopt technological and other necessary measures to ensure the security of the personal information they collect and prevent information leaks, damage, or loss. If data is leaked, damaged, or lost, network operators must take remedial measures at the earliest opportunity, notify users in a timely manner, and report the matter to the authority in compliance with the regulations. The data leakage prevention feature masks sensitive information, such as phone numbers, ID card numbers, and bank card numbers, in website content and triggers alerts upon the detection of sensitive information. You can use the feature to block responses that contain specific HTTP status codes.
Features
Information maintained by a website may be leaked in the following scenarios: unauthorized access to a URL, such as unauthorized access to the backend management system, horizontal and vertical privilege escalation, and malicious crawlers that retrieve sensitive information from web pages. To prevent leaks of common sensitive information, the data leakage prevention feature provides the following capabilities:
Detect and identify personal information on web pages, mask the information, and trigger alerts to protect website data. Personal information includes, but is not limited to, ID card numbers, phone numbers, and bank card numbers.
ImportantThe data leakage prevention feature can process only data in the formats that are used in the Chinese mainland, such as ID card numbers, mobile phone numbers, and bank card numbers.
Mask sensitive server information, such as web applications used by the website, the operating system, and the version of the server.
Maintain a library that contains banned and sensitive keywords to detect and mask banned or sensitive website content and trigger alerts.
How the feature works
The data leakage prevention feature detects whether a web page contains sensitive information, such as ID card numbers, mobile phone numbers, and bank card numbers, based on specific protection rules. If a protection rule is matched, WAF triggers alerts or masks the information based on the rule. The data leakage prevention feature replaces sensitive information with asterisks (*).
The data leakage prevention feature allows you to set Content-Type to text/*
, image/*
, or application/*
to protect web applications, native applications, and APIs.
Procedure
Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
In the upper part of the Website Protection page, select the domain name for which you want to configure protection from the Switch Domain Name drop-down list.
Click the Web Security tab and find the Data Leakage Prevention section. Then, turn on Status and click Configure Now.
ImportantBefore you configure data leakage prevention rules, you must enable the data leakage prevention feature.
After you enable the data leakage prevention feature, the feature checks all requests that are destined for your website. You can configure a data security whitelist rule to allow specific requests. For more information, see Configure a whitelist for Data Security.
Create a data leakage prevention rule.
On the Data Leakage Prevention page, click Create Rule.
In the Create Rule dialog box, configure the parameters. The following table describes the parameters.
Parameter
Description
Rule Name
The name of the data leakage prevention rule that you want to create.
Match Condition
The type of information that you want to detect. Valid values:
Status Code: 400, 401, 402, 403, 404, 405-499, 500, 501, 502, 503, 504, and 505-599
Sensitive Information: ID Card Number, Credit Card Number, Mobile Phone Number, and Default Sensitive Word
ImportantThe data leakage prevention feature can process only data in the formats that are used in the Chinese mainland, such as ID card numbers, mobile phone numbers, and bank card numbers.
You can select multiple values for the Status Code and Sensitive Information options.
If you select And, you can specify the URL that you want to monitor. This way, WAF detects sensitive information only on the specified page.
Action
The action that you want to perform on the sensitive information that is detected.
If you set the match condition to Status Code, the following actions are supported:
Alert: triggers alerts when sensitive information is detected.
Block: blocks requests and returns the default block page.
If you set the match condition to Sensitive Information, the following actions are supported:
Alert: triggers alerts when sensitive information is detected.
Filter Sensitive Information: masks sensitive information in responses.
Sample configurations
Mask sensitive information: Web pages may contain sensitive information, such as phone numbers and ID card numbers. You can create data leakage prevention rules to mask sensitive information or trigger alerts when sensitive information is detected. The following example describes how to create a data leakage prevention rule that masks mobile phone numbers and ID card numbers.
Match Condition: ID Card Number and Mobile Phone Number
Action: Filter Sensitive Information
ImportantMobile phone numbers that must be provided to the public for business affairs, such as customer service and product hotlines, may also be masked by data leakage prevention rules.
Block responses that contain specific HTTP status codes: You can create a data leakage prevention rule to block or generate alerts when specific HTTP status codes are detected to prevent leaks of sensitive server information. The following example describes how to create a data leakage prevention rule that blocks the HTTP 404 status code.
Match Condition: 404
Action: Block
Mask specific sensitive information on specific pages: You can create data leakage prevention rules to mask sensitive information or generate alerts when specific sensitive information, such as phone numbers or ID card numbers, is detected on specific pages. The following example describes how to create a data leakage prevention rule that masks ID card numbers on the pages whose URLs contain
admin.php
.Match Condition: ID card numbers on pages whose URLs contain
admin.php
Action: Filter Sensitive Information
After the data leakage prevention rule takes effect, the ID card numbers on the pages whose URLs contain admin.php are masked.
Click OK.
After you create a data leakage prevention rule, the rule automatically takes effect. You can view, modify, or delete data leakage prevention rules in the rule list based on your business requirements.
What to do next
After you enable the data leakage prevention feature, you can view the log data of the filtered or blocked requests that match data leakage prevention rules. To view the log data, go to the Security Report page. On the Web Security tab, click Data Leakage Prevention. Then, view the security report. For more information, see View security reports.