Help Center/ Web Application Firewall/ User Guide/ Configuring Protection Policies/ Configuring Protection Rules/ Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
Updated on 2025-08-19 GMT+08:00

Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage

You can add two types of information leakage prevention rules.

  • Sensitive information filtering: prevents disclosure of sensitive information, such as ID numbers, phone numbers 11-digit phone numbers registered in China, and email addresses.
  • Response code interception: blocks the specified HTTP status codes.

Prerequisites

You have added the website you want to protect to WAF or added a new protection policy.

Constraints

  • This function is not supported by the cloud standard edition, or the cloud load balancer access mode.
  • This function is not supported by the professional edition.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring an Information Leakage Prevention Rule

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Policies.
  5. Click the name of the target policy to go to the protection rule configuration page.

    Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

  6. Locate the Information Leakage Prevention configuration area and toggle on this protection.

    : enabled.

  7. In the upper left corner above the Information Leakage Prevention rule list, click Add Rule.
  8. In the dialog box displayed, add an information leakage prevention rule by referring to Table 1. Figure 1 and Figure 2 show the examples.

    Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.

    Sensitive information filtering: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses:
    Figure 1 Sensitive information leakage
    Response code interception: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503.
    Figure 2 Response code interception
    Table 1 Parameter description

    Parameter

    Description

    Example Value

    Path

    Enter the path where information to be protected is stored.

    • Do not include the domain name in the path. For example, if the URL to be protected is http://www.example.com/admin, set Path to /admin.
    • The path supports prefix match and exact match.
      • Prefix match: Only the prefix of the path to be entered must match that of the path to be protected.

        If the path to be protected is /admin, set Path to /admin.

      • Exact match: The entered path must be the same as the path to be protected.

        If the path to be protected is /admin, set Path to /admin.

    • Regular expressions are not supported.
    • The path cannot contain two or more consecutive slashes. If you enter ///admin, WAF will convert /// to /.

    /admin*

    Type

    Select the information type to be protected. You can select Sensitive information filtering or Response code interception.

    • Sensitive information filtering: Sensitive information such as ID card numbers, phone numbers, and email addresses will be masked.
    • Response code interception: Response pages with specified HTTP status codes will be blocked. Response codes 400, 401, 402, 403, 404, 405, 500, 501, 502, 503, 504, and 507 are supported.

    Sensitive information filtering

    Content

    Protection content. Multiple options can be selected.

    • If you select Sensitive information filtering for Type, you can select Identification card, Phone number, and Email address for this parameter.
    • If you select Response code interception for Type, you can select 400, 401, 402, 403, 404, 405, 500, 501, 502, 503, 504, and 507 for this parameter.

    Identification card

    Protective Action

    Protective action for the rule when a request matches the rule.

    • Filter: Sensitive information will be masked with asterisks (*), or pages with specified HTTP status codes will be blocked.
    • Log only: Requests that hit the rule will be logged but not be blocked.

    Filter

    Rule Description

    Description of the rule.

    None

  9. Click OK. The added information leakage prevention rule is displayed in the list of information leakage prevention rules.

    After completing the preceding configurations, you can:

    • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
    • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
    • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
    • Verify the protection effect:
      1. Clear the browser cache and access the http://www.example.com/admin page. If the sensitive information on the page is masked, the rule takes effect.
      2. On the Events page, check the protection logs.

Configuration Example: Masking Sensitive Information

You can take the following steps to verify that WAF is protecting your website domain name (www.example.com) based on the information leakage prevention rule you configure.

  1. Add an information leakage prevention rule.

    Figure 3 Sensitive information leakage

  2. Enable information leakage prevention.

    Figure 4 Information Leakage Prevention configuration area

  3. Clear the browser cache and access http://www.example.com/admin/.

    The email address, phone number, and identity number on the returned page are masked.

    Figure 5 Sensitive information masked