Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage

Prerequisites

You have added the website you want to protect to WAF or added a new protection policy.

• For cloud CNAME access mode, see Connecting Your Website to WAF with Cloud Mode - CNAME Access.
• For dedicated access mode, see Connecting Your Website to WAF with Dedicated Mode.

Constraints

• This function is not supported by the cloud standard edition, or the cloud load balancer access mode.
• This function is not supported by the professional edition.
• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring an Information Leakage Prevention Rule

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection rule configuration page.

   Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

6. Locate the Information Leakage Prevention configuration area and toggle on this protection.

   : enabled.

7. In the upper left corner above the Information Leakage Prevention rule list, click Add Rule.
8. In the dialog box displayed, add an information leakage prevention rule by referring to Table 1. Figure 1 and Figure 2 show the examples.

   Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.

   Sensitive information filtering: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses:

   Figure 1 Sensitive information leakage
   
   Response code interception: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503.

   Figure 2 Response code interception
   

   Table 1 Parameter description

   Parameter	Description	Example Value
   Path	Enter the path where information to be protected is stored. Do not include the domain name in the path. For example, if the URL to be protected is http://www.example.com/admin, set Path to /admin. The path supports prefix match and exact match. Prefix match: Only the prefix of the path to be entered must match that of the path to be protected. If the path to be protected is /admin, set Path to /admin. Exact match: The entered path must be the same as the path to be protected. If the path to be protected is /admin, set Path to /admin. Regular expressions are not supported. The path cannot contain two or more consecutive slashes. If you enter ///admin, WAF will convert /// to /.	/admin*
   Type	Select the information type to be protected. You can select Sensitive information filtering or Response code interception. Sensitive information filtering: Sensitive information such as ID card numbers, phone numbers, and email addresses will be masked. Response code interception: Response pages with specified HTTP status codes will be blocked. Response codes 400, 401, 402, 403, 404, 405, 500, 501, 502, 503, 504, and 507 are supported.	Sensitive information filtering
   Content	Protection content. Multiple options can be selected. If you select Sensitive information filtering for Type, you can select Identification card, Phone number, and Email address for this parameter. If you select Response code interception for Type, you can select 400, 401, 402, 403, 404, 405, 500, 501, 502, 503, 504, and 507 for this parameter.	Identification card
   Protective Action	Protective action for the rule when a request matches the rule. Filter: Sensitive information will be masked with asterisks (*), or pages with specified HTTP status codes will be blocked. Log only: Requests that hit the rule will be logged but not be blocked.	Filter
   Rule Description	Description of the rule.	None

9. Click OK. The added information leakage prevention rule is displayed in the list of information leakage prevention rules.

   After completing the preceding configurations, you can:

   • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
   • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
   • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
   • Verify the protection effect:
     1. Clear the browser cache and access the http://www.example.com/admin page. If the sensitive information on the page is masked, the rule takes effect.
     2. On the Events page, check the protection logs.

Configuration Example: Masking Sensitive Information

You can take the following steps to verify that WAF is protecting your website domain name (www.example.com) based on the information leakage prevention rule you configure.

1. Add an information leakage prevention rule.
   Figure 3 Sensitive information leakage
   

2. Enable information leakage prevention.
   Figure 4 Information Leakage Prevention configuration area
   

3. Clear the browser cache and access http://www.example.com/admin/.

   The email address, phone number, and identity number on the returned page are masked.

   Figure 5 Sensitive information masked