Configuring Data Masking Rules to Prevent Privacy Information Leakage

This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.

Prerequisites

You have connected a website to WAF.
You have created a policy and added the domain name to it. For details, see Creating a Protection Policy and Adding a Domain Name to a Policy.
If you use a dedicated WAF instance, make sure it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Impact on the System

Sensitive data in the events will be masked to protect your website visitor's privacy.

Configuring a Data Masking Rule

Log in to the WAF console.
Click in the upper left corner and select a region or project.
(Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
In the navigation pane on the left, click Policies.
Click the name of the target policy to go to the protection rule configuration page.

Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.
Locate the Data Masking configuration area and toggle this protection on.

: enabled.
In the upper left corner above the Data Masking rule list, click Add Rule.

In the displayed dialog box, specify the parameters described in Table 1.

Figure 1 Adding a data masking rule
Click to enlarge

**Table 1** Rule parameters
Parameter	Description	Example Value
Path	Enter the complete URL to be masked. Do not include the domain name in the path. For example, if the URL to be protected is http://www.example.com/admin, set Path to /admin. The path supports prefix match and exact match. Prefix match: Only the prefix of the path to be entered must match that of the path to be protected. If the path to be protected is /admin, set Path to /admin. Exact match: The entered path must be the same as the path to be protected. If the path to be protected is /admin, set Path to /admin. Regular expressions are not supported. The path cannot contain two or more consecutive slashes. If you enter ///admin, WAF will convert /// to /.	/admin
Masked Field	A field set to be masked Params: A request parameter Cookie: A small piece of data to identify web visitors Header: A user-defined HTTP header Form: A form parameter	Params
Field Name	Set the parameter based on Masked Field. The masked field will not be displayed in logs. For example, if Masked Field is set to Params, set Field Name based on site requirements, for example, set it to id. Then, the content matching id will be masked.	id
Rule Description	A brief description of the rule. This parameter is optional.	None

Click OK. The added data masking rule is displayed in the list of data masking rules.

After completing the preceding configurations, you can:
- Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
- Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
- Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
- Verify the protection effect:
  1. Clear the browser cache and access the http://www.example.com/admin page. If the configured jsessionid cookie field is masked in the /admin directory, the rule takes effect.
  2. On the Events page, check the protection logs.

Configuration Example: Masking the Cookie Field

You can take the following steps to verify that WAF is protecting your website domain name (www.example.com).

The cookie field jsessionid is masked.

Add a data masking rule.

Figure 2 Select Cookie for Masked Field and enter jsessionid in Field Name.
Enable data masking.

Figure 3 Data Masking configuration area
In the navigation pane on the left, choose Events.
In the row containing the event hit the rule, click Details in the Operation column and view the event details.

Data in the jsessionid cookie field is masked.

Figure 4 Viewing events - privacy data masking