Help Center/ Web Application Firewall/ User Guide/ Configuring Protection Policies/ Configuring Protection Rules/ Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With

You can set web tamper protection rules to protect specific website pages (such as the ones contain important content) from being tampered with. If a web page protected with such a rule is requested, WAF returns the origin page it has cached based on the rule so that visitors always receive the authenticate web pages.

How It Works

  • Return directly the cached web page to the normal web visitor to accelerate request response.
  • Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages.
  • Protect all resources in the web page path. For example, if a web tamper protection rule is configured for a static page pointed to www.example.com/index.html, WAF protects the web page pointed to /index.html and related resources associated with the web page.

    So, if the URL in the Referer header field is the same as the configured anti-tamper path, for example, /index.html, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) matching the request are also cached.

  • WAF can cache user-defined header fields. In the upper part of the page, click Modify Field to configure the header fields you want WAF to cache.

Application Scenarios

  • Quicker response to requests

    After a web tamper protection rule is configured, WAF caches static web pages on the server. When receiving a request from a web visitor, WAF directly returns the cached web page to the web visitor.

  • Web tamper protection

    If an attacker modifies a static web page on the server, WAF still returns the cached original web page to visitors. Visitors never see the pages that were tampered with.

    WAF randomly extracts requests from a visitor to compare the page they received with the page on the server. If WAF detects that the page has been tampered with, it notifies you by SMS or email, depending on what you configure. For more details, see Enabling Alarm Notifications.

Prerequisites

You have added the website you want to protect to WAF or added a new protection policy.

Constraints

  • The cloud load balancer access mode does not support this type of protection rule.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • Ensure that the origin server response contains the Content-Type response header, or WAF may fail to cache the origin server response.

Configuring a Web Tamper Protection Rule

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Policies.
  5. Click the name of the target policy to go to the protection rule configuration page.

    Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

  6. Click the Web Tamper Protection configuration area and ensure that web tamper protection is enabled.

    : enabled.

  7. In the upper left corner above the Web Tamper Protection rule list, click Add Rule.
  8. In the displayed dialog box, specify the parameters by referring to Table 1.

    Figure 1 Adding a web tamper protection rule
    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Domain Name

    Domain name of the website to be protected

    www.example.com

    Path
    Path of the URL for which you want to enable web tamper protection.
    • A URL is the address of a web page. The basic format of a URL: Protocol-name://Domain-name or IP-address[:Port]/[Path-name/.../Filename].

      For example, if the URL is http://www.example.com/admin, set Path to /admin.

    • Note that:
      • Do not include the domain name in the path.
      • Regular expressions are not supported.
      • The path cannot contain two or more consecutive slashes. For example, if you enter ///admin, WAF will convert /// to /.

    /admin

    Rule Description (Optional)

    A brief description of the rule.

    None

  9. Click OK. You can view the rule in the list of web tamper protection rules.

    To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.

    After completing the preceding configurations, you can:

    • Update the cache: To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.
    • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
    • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
    • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
    • Verify the protection effect:
      1. Access the http://www.example.com/admin page. The initial page is displayed.
      2. Simulate the attack to tamper with the http://www.example.com/admin web page.
      3. Access the http://www.example.com/admin page in the browser. The initial page that is not tampered with is displayed.
      4. On the Events page, check the protection logs.

Configuration Example: Static Web Page Tamper Prevention

To verify that WAF is protecting a static page /admin on your website www.example.com from being tampered with, take the following steps:

  1. Click the Web Tamper Protection configuration area and ensure that web tamper protection is enabled.

    : enabled.

  2. Add a web tamper prevention rule to WAF.

    Figure 2 Adding a web tamper protection rule

  3. Simulate the attack to tamper with the http://www.example.com/admin web page.
  4. Use a browser to access http://www.example.com/admin. WAF will cache the page.
  5. Access the page again.

    The intact page is returned.

FAQs

Why Does the Page Fail to Be Refreshed After WTP Is Enabled?

Parent Topic: Configuring Protection Rules