Updated on 2024-04-10 GMT+08:00

Configuring Basic Web Protection

This topic describes best practices in basic web protection.

Application Scenarios

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

Protection Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the navigation pane on the left, choose Website Settings.
  5. In the Policy column of the row containing the domain name, click the number to go to the Policies page.
  6. In the Basic Web Protection configuration area, change its status if needed.

    Figure 1 Basic Web Protection configuration area

    By default, Basic Web Protection is enabled and its mode is Log only.

    • Protection status
      • : Basic Web Protection is enabled.
      • : Basic Web Protection is disabled.
    • Protection mode: block or log only
      • Block: WAF blocks and logs the detected attacks.
      • Log only: WAF only logs the detected attacks.

  7. Go to the Basic Web Protection page.

    Figure 2 Basic web protection
    • Protection Level: high, medium, and low. The default level is Low.
      Table 1 Protection levels

      Protection Level



      WAF only blocks the requests with obvious attack signatures.

      If a large number of false alarms are reported, Low is recommended.


      The default level is Medium, which meets a majority of web protection requirements.


      WAF blocks the requests with no attack signature but have specific attack patterns.

      High is recommended if you want to block SQL injection, XSS, and command injection attacks.

    • Specify the protection type.

      By default, General Check is enabled in WAF. You can enable other protection types to meet your business needs.

Usage Instructions

  • If you are not familiar with your website's traffic pattern, select the Log only mode for one to two weeks and analyze the logs for those days.
    • If no record of blocking legitimate requests is found, switch to the Block mode.
    • If legitimate requests are blocked, adjust the protection level or configure global protection whitelist rules to prevent legitimate requests from being blocked.
  • Note the following points in your operations:
    • Do not transfer the original SQL statement or JavaScript code in a legitimate HTTP request.
    • Do not use special keywords (such as UPDATE and SET) in a legitimate URL. For example, https://www.example.com/abc/update/mod.php?set=1.
    • Use Object Storage Service (OBS) or other secure methods to upload files that exceed 50 MB rather than via a web browser.

Protection Effect

To check whether basic web protection takes effect, enter a test domain name in the address bar of your browser and simulate an SQL injection attack. If WAF blocks the attack, the configuration works. You can view attack event logs on the Dashboard page. Figure 4 shows an example.

Figure 3 Blocking SQL attacks
Figure 4 Security Event Statistics

You can also view protection logs generated in yesterday, today, past 3 days, past 7 days, 30 days, or user-defined time range on the Events page. Alternatively, you can go to the event list, locate the row containing the specific event, and click Details in the Operation column