Help Center> Web Application Firewall> Best Practices> Best Practices for Website Protection
Updated on 2024-02-29 GMT+08:00

Best Practices for Website Protection

If you are a first-time user, you may not know how to configure website protection policies after adding a website to WAF. This topic describes how Web Application Firewall (WAF) works and helps you get familiar with the protection rules in WAF in many scenarios.

Prerequisites

Overview

This document provides suggestions on website protection settings from the perspectives of different roles or service requirements. You can select a scenario that best meets your actual requirements to learn about related protection settings.

I'm a novice. I know little about security and have no special requirements.

You may have purchased WAF to meet security and compliance requirements or to improve the security for your organization to a higher level. In this case, you can use the default basic protection settings of WAF. The default protection capability provided by WAF is sufficient to defend websites against most basic web threats.

You can watch out for Dashboard and Events pages on the WAF console to learn about your services and their security status. For more details, see:

I am a professional in security O&M, and I need comprehensive website protection operations.

The following protection settings are recommended to you:

  • Basic Web Protection: Defends against common web attacks, such as SQL injection, XSS, remote overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command/code injection. It can also identify escape attacks in depth, check all fields in a request header, check Shiro encryption, and detect web shells.

    Operation: On the Policies page, click a policy name. On the displayed page, select Basic Web Protection, select Block or Log only, and enable all check items. For details, see Configuring Basic Web Protection Rules.

  • Custom protection policies: You can create custom protection rules and add them to a policy to give your website comprehensive and tailored protection.

    Operation: On the Policies page, perform related configurations. For details, see How to Configure WAF Protection.

My services have strict requirements on security. Every attack must be killed even at the expense of more false positives.

To meet your requirements, the following protection configurations are recommended:

  • Basic Web Protection (block mode): Defends against common web attacks, such as SQL injection, XSS, remote overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command/code injection. It can also identify escape attacks in depth, check all fields in a request header, check Shiro encryption, and detect web shells.

    Operation: On the Policies page, click a policy name. On the displayed page, select Basic Web Protection, select Block, and enable all check items. For details, see Configuring Basic Web Protection Rules.

  • CC attack protection (block mode): Helps precisely identify and block CC attacks by limiting the access rate of a single visitor based on its IP address, cookie, or referer.

    Operation: On the Policies page, click a policy name. On the displayed page, click the CC Attack Protection area, add a rule, and set the Protective Action to Block. For more details, see Configuring a CC Attack Protection Rule.

  • Precise Protection: You can create custom protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses to give your website more precise protection.

    Operation: On the Policies page, click a policy name. On the displayed page, click the Precise Protection area, add a rule, and set the Protective Action to Block. For details, see Configuring a Precise Protection Rule.

  • Blacklist and Whitelist (block mode): You can block IP addresses and IP address ranges irrelevant to your services with ease.

    Operation: On the Policies page, click a policy name. On the displayed page, click the Blacklist and Whitelist area, add a rule, and set the Protective Action to Block. For more details, see .Configuring an IP Blacklist or Whitelist Rule.

  • Geolocation Access Control (block mode): You can configure geolocation access control rules to block or allow requests from a specific location. If there are too many malicious requests from a specific region, this type of rule helps block every single request from the region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions.

    Operation: On the Policies page, click a policy name. On the displayed page, click the Geolocation Access Control area, add a rule, and set the Protective Action to Block. For more details, see Configuring a Geolocation Access Control Rule.

My business is often harassed by crawlers or faces data leakage and tampering risks.

To meet your requirements, the following protection configurations are recommended:

  • Web Tamper Protection:WAF caches the pages you want to protect and returns cached pages to visitors so that your website visitors will view right pages all the time even if a web page was tampered with.

    Operation: On the Policies page, click the policy name. On the displayed page, click the Web Tamper Protection area, add a rule, and complete related settings. For details, see Configuring a Web Tamper Protection Rule.

  • Information Leakage Prevention: Helps mask sensitive information, such as ID numbers, phone numbers, and email addresses, on web pages when those pages are returned to visitors.

    Operation: On the Policies page, click the policy name. On the displayed page, click the Information Leakage Prevention area, add a rule, and complete related settings. For details, see Configuring an Information Leakage Prevention Rule.

  • Anti-Crawler Protection
    • Feature Library: You can allow access requests from legitimate crawlers (such as Googlebot and Baiduspider) but block crawler attacks from most scripts and automation programs.
    • JavaScript: If you enable this protection, WAF checks JavaScript. You can also add custom rules to prevent JavaScript crawlers.

    Operation: On the Policies page, click the policy name. On the displayed page, click the Anti-Crawler area, add a rule, and complete related settings. For details, see Configuring Anti-Crawler Rules.