Help Center/ Host Security Service/ User Guide/ Server Protection/ Application Protection/ Managing Application Protection Policies
Updated on 2025-08-26 GMT+08:00
View PDF
Share

Managing Application Protection Policies

Scenario

Application protection policies can be added, edited, and deleted in the following scenarios:

  • Addition: HSS provides a default policy, which contains all the detection rules for application protection. For details, see Detection Capabilities. If you need to customize the policy for a server, you can add a protection policy and customize the detection rules and configurations in the policy.
  • Editing: You can edit a custom protection policy.
  • Deletion: You can delete a custom protection policy that is not associated with any server.

Adding a Protection Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. Choose Server Protection > Application Protection and click Protection Policies. For more information, see Table 1.

    Table 1 Protection policy parameters

    Parameter

    Description

    Policy Name

    Protection policy name

    Detection Rule

    Detection rules supported by a policy.

    Associated Servers

    Number of servers bound to a policy.

  4. (Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
  5. Click Add Policy. In the dialog box that is displayed, configure the parameters by referring to Table 2.

    Figure 1 Adding a protection policy
    Table 2 Application protection policy parameters

    Parameter

    Description

    OS

    OS of the servers that the protection policy applies to.

    Policy Name

    User-defined policy name

    Detection Rule ID

    Unique ID of a detection rule. To enable a detection rule, select the check box next to the ID.

    Action

    Protection action of a detection rule.

    • Detect: Detects objects based on the target rule and reports alarms for detected risk events.
    • Detect and block: Detects objects based on the target rule, reports alarms for detected risk events, and directly blocks or intercepts detected risk items.
      WARNING:

      Blocking or interception may interrupt services. Exercise caution when enabling this function.

    Description

    Description about the detected object and behavior of the target protection policy.

  6. Click Configure in the Operation column of a detection rule to modify the rule content. Table 3 describes the supported detection rules.

    Table 3 Detection rules that can be configured only

    Rule

    Description

    Example

    XXE

    User-defined XXE blacklist protocol

    .xml;.dtd;

    XSS

    User-defined XSS shielding rules

    xml;doctype;xmlns;import;entity

    WebShellUpload

    User-defined suffix of files in the blacklist.

    .jspx;.jsp;.jar;.phtml;.asp;.php;.ascx;.ashx;.cer

    FileDirAccess

    User-defined path of files in the blacklist.

    /etc/passwd;/etc/shadow;/etc/gshadow;

  7. Confirm the configured policy and selected detection rules, and click OK. You can check whether the rule is added on the Protection Policy tab page.

Editing a Protection Policy

  1. Log in to the management console and go to the HSS page.
  2. Choose Server Protection > Application Protection and click Protection Policies. For more information, see Table 4.

    Table 4 Protection policy parameters

    Parameter

    Description

    Policy Name

    Protection policy name

    Detection Rule

    Detection rules supported by a policy.

    Associated Servers

    Number of servers bound to a policy.

  3. (Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
  4. Click Edit in the Operation column of a policy to configure the policy name, supported detection rules, and rule content.

    Table 5 Application protection policy parameters

    Parameter

    Description

    Policy Name

    User-defined policy name

    Detection Rule ID

    Unique ID of a detection rule. To enable a detection rule, select the check box next to the ID.

    Action

    Protection action of a detection rule.

    • Detect: Detects objects based on the target rule and reports alarms for detected risk events.
    • Detect and block: Detects objects based on the target rule, reports alarms for detected risk events, and directly blocks or intercepts detected risk items.
      NOTICE:

      Blocking or interception may interrupt services. Exercise caution when enabling this function

    Description

    Description about the detected object and behavior of the target protection policy.

  5. Confirm the configured rule and selected detection items and click OK. You can check whether the target policy is modified on the Protection Policy tab page.

Deleting a Policy

  1. Log in to the management console and go to the HSS page.
  2. Choose Server Protection > Application Protection and click Protection Policies. For more information, see Table 6.

    Table 6 Protection policy parameters

    Parameter

    Description

    Policy Name

    Protection policy name

    Detection Rule

    Detection rules supported by a policy.

    Associated Servers

    Number of servers bound to a policy.

  3. (Optional) If you have enabled the enterprise project function, select an enterprise project from the Enterprise Project drop-down list in the upper part of the page to view its data.
  4. Click Delete in the Operation column of the target policy. In the dialog box that is displayed, confirm the policy information and click OK.

    Only the policies that are not associated with any server can be deleted.

Parent Topic: Application Protection