Help Center/ Web Application Firewall/ Drawer/ Bot Protection/ Custom Protected Objects
Updated on 2025-07-04 GMT+08:00
Share

Custom Protected Objects

If you enable bot protection, WAF protects all URLs of the protected domain name by default. You can specify protected objects for bot protection rules if you want WAF to protect specific service scenarios, such as login and registration.

The following table lists the conditions that can be used to specify protected objects for bot protection rules.

Table 1 Condition list

Field

Field Description

Subfield

Logic

Content

Path

The path of a resource requested by the client. A path is part of a URL.

--

The following logical relationships are supported: Include, Exclude, Equal to, Not equal to, Prefix is, Prefix is not, Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, and Prefix is not any value.

NOTE:

If the logical relationship is Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, or Prefix is not any value, you can select an existing reference table for Content. For details about how to add and manage a reference table, see Creating a Reference Table to Configure Protection Indicators in Batches.

Enter the path to be protected. Configuration description:

  • The path does not contain a domain name and supports only exact match. So, the path to be protected must be the same as the path you configure. If the path to be protected is /admin, set Path to /admin.
  • If Path is set to /, all paths of the website are protected.
  • The path content cannot contain the following special characters: (<>*)

Method

The request method.

--

The following logical relationships are supported: Equal to and Not equal to.

Enter the request method, for example, GET, POST, PUT, DELETE, or PATCH.

Cookie

The cookie in the request.

Custom subfield. Length: 1 to 2,048 characters.

The following logical relationships are supported: Include, Exclude, Equal to, Not equal to, Prefix is, Prefix is not, Suffix is, Suffix is not, Has, Does not have, Equal to any value, Not equal to any value, and Exclude any value.

NOTE:

If the logical operator is Equal to any value, Not equal to any value, or Exclude any value, you can select an existing reference table for Content. For details about how to add and manage a reference table, see Creating a Reference Table to Configure Protection Indicators in Batches.

Enter the cookie value of the request, for example, jsessionid.

Header

The request header content.

Enter the request header content, for example, text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8.

Params

The query parameter in the URL. The query parameter is the content following the question mark (?).

Enter the query parameter, for example, 201901150929.

Referer

The source of the access request.

--

Enter the request access source. For example, if the protected path is /admin/xxx and you do not want visitors to be able to access the page from www.test.com, set Content for Referer to http://www.test.com.

Parent Topic: Bot Protection