WTP Overview

Web Tamper Protection (WTP) can detect and prevent tampering of files in specified directories, including web pages, documents, and images, and quickly restore them using valid backup files.

Constraints

Ensure that the WTP edition has been enabled for the server. For details about how to purchase HSS and enable the WTP edition, see Purchasing HSS Quota and Enabling Web Tamper Protection.

How WTP Prevents Web Page Tampering

WTP supports static and dynamic web page protection. How WTP works shows the protection mechanism.

**Table 1** How WTP works
Protection Type	Mechanism
Static web page protection	Local directory lock WTP locks files in a web file directory in a drive to prevent attackers from modifying them. Website administrators can update the website content by using privileged processes. Active backup and restoration If WTP detects that a file in a protected directory is tampered with, it immediately uses the backup file on the local host to restore the file. Remote backup and restoration If the file and backup directory on the local server become invalid, you can manually obtain the backup file from the remote backup server to restore the tampered websites.
Dynamic web page protection	Provides runtime application self-protection (RASP) for Tomcat applications in the following ways: Malicious behavior filtering based on RASP The Huawei-unique runtime application self-protection (RASP) detects application program behaviors, preventing attackers from tampering with web pages through application programs. Network disk file access control WTP implements fine-grained management to control permissions for adding, modifying, and querying file content in network disks, preventing tampering without affecting website content release.

Process of Using WTP

Figure 1 Usage process

**Table 2** Process of using WTP
Operation	Description
Enabling Static Web Tamper Protection	After the WTP edition is enabled, static WTP and other protection functions are enabled automatically. For details about the functions supported by the WTP edition, see Editions and Features.
Adding a Protected Directory	Static WTP protects specified directories. You need to configure static WTP directories.
Configuring Remote Backup	By default, HSS backs up files in the protected directories to the local backup paths you specified when adding protected directories. To prevent the local backup from being damaged by attackers, you can configure remote backup to protect web page backup data.
Adding a Privileged Process	After static WTP is enabled, the content in the protected directory is read-only and cannot be modified. To modify a protected file, you can add a privileged process.
Enabling/Disabling Scheduled Static WTP	Not all OS kernel versions support privileged processes and each server can add up to 10 privileged processes. For OSs that do not support privileged processes, you can set periodic static WTP and update websites when WTP is automatically disabled.
Enabling Dynamic WTP	HSS provides runtime application self-protection (RASP) for Tomcat applications. You can enable dynamic WTP for Tomcat applications as required.
Viewing WTP Events	Tamper events that occur during static web tamper protection are recorded and displayed in the event list.