How to configure protection rules for the website tamper-proofing module - Web Application Firewall

After you add web services to Web Application Firewall (WAF), you can configure protection rules for the website tamper-proofing module to lock the web pages that you want to protect. For example, you can lock web pages that contain sensitive information. When a locked page is requested, a cached version of the page is returned to help prevent web page tampering. This topic describes how to create a protection template of the website tamper-proofing module and add protection rules to the template.

Limits

If you add web services to WAF in hybrid cloud or cloud native mode, the related protected objects do not support the website tamper-proofing module. You can add Microservices Engine (MSE) instances and Function Compute-related domain names to WAF in cloud native mode.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Step 1: Create a protection template of the website tamper-proofing module

The website tamper-proofing module does not provide default protection templates. Before you can enable a protection rule of the website tamper-proofing module, you must create a protection template of the module and add protection rules to the template.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the Website Tamper-proofing section of the Basic Web Protection page, click Create Template.
Note
If this is your first time to create a protection template of the website tamper-proofing module, you can also click Configure Now in the Website Tamper-proofing card in the upper part of the Basic Web Protection page.

In the Create Template - Website Tamper-proofing panel, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration	Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the website tamper-proofing module.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one protection template of the website tamper-proofing module to a protected object or a protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

By default, a new rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects and protected object groups that are associated with the template.
Turn on or turn off the switch in the Status column to enable or disable the template.
Click Edit or Delete in the Actions column to modify or delete the template.
Click the icon to the left of a template name to view the rules in the template.

Step 2: Add protection rules to a protection template of the website tamper-proofing module

A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, you can skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the Website Tamper-proofing section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.

In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Rule Name	Specify a name for the rule. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Address of Cached Page	Specify the type and path of the cached page. The type can be http or https. For the path, take note of the following items: The default path of the cached page is `www.waftest.cn/index.html`. You can change the path. The path cannot contain wildcard characters such as `/` or parameters such as `xxx=yyy` in `/abc?xxx=yyy`. Important* If the URL of a request includes parameters, the request does not hit a protection rule of the website tamper-proofing module. WAF directly forwards the request to the origin server. For example, the path of the cached page is `/abc` in a protection rule of the website tamper-proofing module, and the URL of a request is `/abc?xxx=yyy`. In this case, the request does not hit the protection rule even if the specified path is `/abc`. The website tamper-proofing module protects text data, HTML pages, and images in the specified directory. The size of a protected file cannot exceed 1 MB. Important You can specify only a URL. You cannot specify a directory.
Specify User-Agent to Access	Specify the User-Agent strings of browsers for clients. If you do not select Specify User-Agent to Access, the User-Agent strings of all desktop browsers are used. If you select Specify User-Agent to Access, you must specify custom User-Agent strings. You can open a browser and press the F12 key to open the developer tools. On the Network tab, click the request. In the Request Headers section, find the User-Agent field to obtain the User-Agent string of the browser.

By default, a new rule is enabled. You can perform the following operations in the rule list:

Turn on or turn off the switch in the Status column to enable or disable the rule.
Click Edit or Delete in the Actions column to modify or delete the rule.

Related operations

If you want to enable website tamper-proofing for a specific directory on a server, you can use the web tamper proofing feature of Security Center. For more information, see Use the web tamper proofing feature.

The following table describes the differences between the website tamper-proofing module of WAF and the web tamper proofing feature of Security Center.

Item	WAF	Security Center
Implementation	The website tamper-proofing module of WAF allows you to lock web pages that you want to protect. When a locked page is requested, a cached version of the page is returned to help prevent web page tampering.	The web tamper proofing feature of Security Center restores tampered files or directories based on backup files to prevent important website information from being tampered with.
Applicable scope	Website URLs.	Server directories.

References

For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.
For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.
For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.