- What's New
- Function Overview
-
Product Bulletin
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Buying WAF
- Connecting a Website to WAF
- Viewing Protection Events
-
Configuring Protection Policies
- Protection Configuration Overview
- Configuring Basic Web Protection to Defend Against Common Web Attacks
- Configuring CC Attack Protection Rules to Defend Against CC Attacks
- Configuring Custom Precise Protection Rules
- Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
- Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
- Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
- Configuring Anti-Crawler Rules
- Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
- Configuring a Global Protection Whitelist Rule to Ignore False Alarms
- Configuring Data Masking Rules to Prevent Privacy Information Leakage
- Creating a Reference Table to Configure Protection Metrics in Batches
- Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
- Condition Field Description
- Application Types WAF Can Protect
- Viewing the Dashboard Page
- Website Settings
- Policy Management
- Object Management
- System Management
- Permissions Management
- Monitoring and Auditing
-
Best Practices
- Website Access Configuration
- Website Protection Configuration Suggestions
-
Mitigating Web Security Vulnerabilities
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Defending Against Challenge Collapsar (CC) Attacks
- Using WAF to Block Crawler Attacks
- Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman
- Combining WAF and HSS to Improve Web Page Tampering Protection
- Configuring Origin Server Security
- Obtaining the Real Client IP Addresses
-
API Reference
- Before You Start
- API Overview
- API Calling
-
APIs
-
Managing Websites Protected by Dedicated WAF Engines
- Querying the List of Domain Names Protected by Dedicated WAF Instances
- Adding a Domain Name to a Dedicated WAF Instance
- Modifying a Domain Name Protected by a Dedicated WAF Instance
- Querying Domain Name Settings in Dedicated Mode
- Deleting a Domain Name from a Dedicated WAF Instance
- Modifying the Protection Status of a Domain Name in Dedicated Mode
-
Rule Management
- Changing the Status of a Rule
- Querying CC Attack Protection Rules
- Creating a CC Attack Protection Rule
- Querying a CC Attack Protection Rule by ID
- Updating a CC Attack Protection Rule
- Deleting a CC Attack Protection Rule
- Querying the List of Precise Protection Rules
- Creating a precise protection rule
- Querying a Precise Protection Rule by ID
- Updating a precise protection rule
- Deleting a precise protection rule
- Creating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the List of Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Updating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Deleting a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the Blacklist and Whitelist Rule List
- Creating a Blacklist/Whitelist Rule
- Querying a blacklist or whitelist rule
- Updating a Blacklist or Whitelist Protection Rule
- Querying Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Deleting a Blacklist or Whitelist Rule
- Querying the JavaScript Anti-Crawler Rule List
- Updating a JavaScript Anti-Crawler Protection Rule
- Creating a JavaScript Anti-Crawler Rule
- Querying a JavaScript Anti-Crawler Rule
- Updating a JavaScript Anti-Crawler Rule
- Deleting a JavaScript Anti-Crawler Rule
- Querying the list of Data Masking Rules.
- Creating a Data Masking Rule
- Querying a Data Masking Rule
- Updating a Data Masking Rule
- Deleting a Data Masking Rule
- Querying the List of Known Attack Source Rules
- Creating a Known Attack Source Rule
- Querying a Known Attack Source Rule by ID
- Updating a Known Attack Source Rule
- Deleting a Known Attack Source Rule
- Querying the List of Geolocation Access Control Rules
- Creating a Geolocation Access Control Rule
- Querying a Geolocation Access Control Rule by ID.
- Updating a Geolocation Access Control Rule
- Deleting a Geolocation Access Control Rule
- Querying the List of Web Tamper Protection Rules
- Creating a Web Tamper Protection Rule
- Querying a Web Tamper Protection Rule
- Deleting a Web Tamper Protection Rule
- Updating the Cache for a Web Tamper Protection Rule
- Querying the List of Information Leakage Prevention Rules
- Creating an Information Leakage Prevention Rule
- Querying an Information Leakage Prevention Rule
- Updating an Information Leakage Prevention Rule
- Deleting an Information Leakage Prevention Rule
- Querying the Reference Table List
- Creating a Reference Table
- Querying a Reference Table
- Modifying a Reference Table
- Deleting a Reference Table
- Address Group Management
- Certificate Management
- Event Management
- Dashboard
- Dedicated Instance Management
- Log Reporting
- Managing Your Subscriptions
- System Management
- Alarm Management
-
Protected Website Management in Cloud Mode
- Querying the List of Domain Names Protected in Cloud Mode
- Adding a Domain Name to the Cloud WAF
- Querying Details About a Domain Name by Domain Name ID in Cloud Mode
- Updating Configurations of Domain Names Protected with Cloud WAF
- Deleting a Domain Name from the Cloud WAF
- Changing the Protection Status of a Domain Name
- Querying the Domain Name of a Tenant
- Policy management
-
Managing Websites Protected by Dedicated WAF Engines
- Appendix
- Change History
- SDK Reference
-
FAQs
-
About WAF
- WAF Basics
- Can WAF Protect an IP Address?
- What Objects Does WAF Protect?
- Does WAF Block Customized POST Requests?
- What Are the Differences Between the Web Tamper Protection Functions of WAF and HSS?
- Which Web Service Framework Protocols Does WAF Support?
- Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
- What Are the Differences Between WAF Forwarding and Nginx Forwarding?
- What Are the Differences Between WAF and CFW?
- Can I Configure Session Cookies in WAF?
- How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks?
- Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)?
- Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website?
- What Are the Restrictions on Using WAF in Enterprise Projects?
- Will Traffic Be Permitted After WAF Is Switched to the Bypassed Mode?
- What Are Local File Inclusion and Remote File Inclusion?
- What Is the Difference Between QPS and the Number of Requests?
- Does WAF Support Custom Authorization Policies?
- Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field?
- Can I Switch Between the WAF Cloud Mode and Dedicated Mode?
- What Are Regions and AZs?
- Can I Use WAF Across Regions?
-
About Purchase and Specifications Change
- What Are the Differences Between the Permissions of an Account and Those of IAM Users?
- Can I Share My WAF with Other Accounts?
- How Does WAF Calculate Domain Name Quota Usage?
- Can I Add More Protection Rules?
- What Can I Do If the Website Traffic Exceeds the WAF Service Request Limit?
- What Are the Impacts When QPS Exceeds the Allowed Peak Rate?
- Can I Change WAF Specifications During Renewal?
- Where and When Can I Buy a Domain, QPS, or Rule Expansion Package?
- How Do I Select Service QPS When Purchasing WAF?
- Is Service QPS Calculated Based on Incoming Traffic or Outgoing Traffic?
- Does WAF Have a Limit on the Protection Bandwidth or Shared Bandwidth?
- Where Can I View the Inbound and Outbound Bandwidths of a Protected Website?
-
Website Connect Issues
- How Do I Configure Domain Names to Be Protected When Adding Domain Names?
- Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF?
- How Do I Whitelist Back-to-Source IP Addresses of Cloud WAF?
- What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?
- Does WAF Support Wildcard Domain Names?
- How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?
- What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
- Why Am I Seeing That My Domain Quota Is Insufficient When There Is Still Remaining Quota?
- Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
- Why Cannot I Select a Client Protocol When Adding a Domain Name?
- Can I Set the Origin Server Address to a CNAME Record If I Use Cloud WAF?
- How Do I Verify Domain Ownership Using Huawei Cloud DNS?
- What Are Impacts If No Subdomain Name and TXT Record Are Configured?
- Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?
- How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?
-
Protection Rules
- Which Protection Levels Can Be Set for Basic Web Protection?
- What Is the Peak Rate of CC Attack Protection?
- When Is Cookie Used to Identify Users?
- What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?
- Why Cannot the Verification Code Be Refreshed When Verification Code Is Configured in a CC Attack Protection Rule?
- Can I Batch Add IP Addresses to a Blacklist or Whitelist Rule?
- Can I Import or Export a Blacklist or Whitelist into or from WAF?
- Why Does a Requested Page Fail to Respond to the Client After the JavaScript-based Anti-Crawler Is Enabled?
- Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled?
- How Does JavaScript Anti-Crawler Detection Work?
- In Which Situations Will the WAF Policies Fail?
- How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region?
- How Do I Allow Only Specified IP Addresses to Access Protected Websites?
- Which Protection Rules Are Included in the System-Generated Policy?
- Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
- What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses?
- What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?
- Certificate Management
-
Protection Event Logs
- Can I Obtain WAF Logs Using APIs?
- What Does "Mismatch" for "Protective Action" Mean in the Event List?
- How Does WAF Obtain the Real Client IP Address for a Request?
- How Long Can WAF Protection Logs Be Stored?
- Can I Query Protection Events of a Batch of Specified IP Addresses at Once?
- Will WAF Record Unblocked Events?
- Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
- Why Is the Number of Logs on the Dashboard Page Inconsistent with That on the Configure Logs Tab?
- Why Is My Domain Name or IP Address Inaccessible?
- How Do I Fix an Incomplete Certificate Chain?
-
About WAF
-
Troubleshooting
- Troubleshooting Website Connection Exceptions
-
Troubleshooting Certificate and Cipher Suite Issues
- How Do I Fix an Incomplete Certificate Chain?
- Why Does My Certificate Not Match the Key?
- Why Are HTTPS Requests Denied on Some Mobile Phones?
- What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
- Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
- Troubleshooting Traffic Forwarding Exceptions
- Checking Whether Normal Requests Are Blocked Mistakenly
- Videos
Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
You can set web tamper protection rules to protect specific website pages (such as the ones contain important content) from being tampered with. If a web page protected with such a rule is requested, WAF returns the origin page it has cached based on the rule so that visitors always receive the authenticate web pages.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
How It Works
- Return directly the cached web page to the normal web visitor to accelerate request response.
- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages.
- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for a static page pointed to www.example.com/index.html, WAF protects the web page pointed to /index.html and related resources associated with the web page.
So, if the URL in the Referer header field is the same as the configured anti-tamper path, for example, /index.html, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) matching the request are also cached.
Prerequisites
You have added your website to a policy.
Constraints
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
- Ensure that the origin server response contains the Content-Type response header, or WAF may fail to cache the origin server response.
Application Scenarios
- Quicker response to requests
After a web tamper protection rule is configured, WAF caches static web pages on the server. When receiving a request from a web visitor, WAF directly returns the cached web page to the web visitor.
- Web tamper protection
If an attacker modifies a static web page on the server, WAF still returns the cached original web page to visitors. Visitors never see the pages that were tampered with.
WAF randomly extracts requests from a visitor to compare the page they received with the page on the server. If WAF detects that the page has been tampered with, it notifies you by SMS or email, depending on what you configure. For more details, see Enabling Alarm Notifications.
Configuring a Web Tamper Protection Rule
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- Click
in the upper left corner of the page and choose Security > Web Application Firewall.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- Click the Web Tamper Protection configuration area and toggle it on or off if needed.
: enabled.
: disabled.
- In the upper left corner above the Web Tamper Protection rule list, click Add Rule.
- In the displayed dialog box, specify the parameters by referring to Table 1.
Figure 1 Adding a web tamper protection rule
Table 1 Rule parameters Parameter
Description
Example Value
Domain Name
Domain name of the website to be protected
www.example.com
Path
A part of the URL, not including the domain name
A URL is used to define the address of a web page. The basic URL format is as follows:
Protocol name://Domain name or IP address[:Port]/[Path/.../File name].
For example, if the URL is http://www.example.com/admin, set Path to /admin.
NOTE:
- The path does not support regular expressions.
- The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
/admin
Rule Description
A brief description of the rule. This parameter is optional.
None
- Click Confirm. You can view the rule in the list of web tamper protection rules.
Related Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.
- To delete a rule, click Delete in the row containing the rule.
Configuration Example - Static Web Page Tamper Prevention
To verify WAF is protecting a static page /admin on your website www.example.com from being tampered with:
- Add a web tamper prevention rule to WAF.
Figure 2 Adding a web tamper protection rule
- Enable WTP.
Figure 3 Web Tamper Protection configuration area
- Simulate the attack to tamper with the http://www.example.com/admin web page.
- Use a browser to access http://www.example.com/admin. WAF will cache the page.
- Access http://www.example.com/admin again.
The intact page is returned.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.