Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage

You can add two types of information leakage prevention rules.

Sensitive information filtering: prevents disclosure of sensitive information, such as ID numbers, phone numbers 11-digit phone numbers registered in China, and email addresses.
Response code interception: blocks the specified HTTP status codes.

Prerequisites

You have added the website you want to protect to WAF or added a new protection policy.

For cloud CNAME access mode, see Connecting Your Website to WAF (Cloud Mode - CNAME Access).
For dedicated access mode, see Connecting Your Website to WAF (Dedicated Mode).

Constraints

This function is not supported by the cloud standard edition, or the cloud load balancer access mode.
This function is not supported by the professional edition.
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring an Information Leakage Prevention Rule

Log in to the management console.
Click in the upper left corner and select a region or project.
Click in the upper left corner of the page and choose Web Application Firewall under Security & Compliance.
(Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
In the navigation pane on the left, click Policies.
Click the name of the target policy to go to the protection configuration page.
Click the Information Leakage Prevention configuration area and toggle it on or off if needed.
- : enabled.
- : disabled.
In the upper left corner above the Information Leakage Prevention rule list, click Add Rule.

In the dialog box displayed, add an information leakage prevention rule by referring to Table 1. Figure 1 and Figure 2 show the examples.

Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.

Sensitive information filtering: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses:

Figure 1 Sensitive information leakage

Response code interception: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503.

Figure 2 Response code interception

**Table 1** Parameter description
Parameter	Description	Example Value
Path	A part of the URL that does not include the domain name. The URL can contain sensitive information (such as ID numbers, phone numbers, and email addresses) or a blocked error code. Prefix match: Only the prefix of the path to be entered must match that of the path to be protected. If the path to be protected is /admin, set Path to /admin. Exact match: The path to be entered must match the path to be protected. If the path to be protected is /admin, set Path* to /admin. NOTE: The path supports prefix and exact matches only. Regular expressions are not supported. The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, the WAF engine converts /// to /.	/admin*
Type	Sensitive information filtering Response code interception: Enable WAF to block the specified HTTP response code page.	Sensitive information filtering
Content	Information to be protected. Options are Identification card, Phone number, and Email.	Identification card
Protective Action	Action the rule takes. You can select Filter or Log only.	Filter
Rule Description	A brief description of the rule. This parameter is optional.	None

Click OK. The added information leakage prevention rule is displayed in the list of information leakage prevention rules.
- After the configuration is complete, you can view the added rule in the protection rule list. Rule Status is Enabled by default.
- If you do not want the rule to take effect, click Disable in the Operation column of the rule.
- To delete or modify a rule, click Delete or Modify in the Operation column of the rule.

Protection Verification

To verify that WAF is protecting your domain name (www.example.com) according to the protection rule configured by referring to example values in Table 1, take the following steps:

Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Website Settings.
- If the website is accessible, go to 2.
Clear the browser cache and access the http://www.example.com/admin page. If the sensitive information on the page is masked, the rule takes effect.
Return to the WAF console. In the navigation pane on the left, click Events. On the displayed page, check event logs.

Configuration Example: Masking Sensitive Information

You can take the following steps to verify that WAF is protecting your website domain name (www.example.com) based on the information leakage prevention rule you configure.

Add an information leakage prevention rule.

Figure 3 Sensitive information leakage
Enable information leakage prevention.

Figure 4 Information Leakage Prevention configuration area
Clear the browser cache and access http://www.example.com/admin/.

The email address, phone number, and identity number on the returned page are masked.

Figure 5 Sensitive information masked