- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
This document describes the tamper protection feature of WAF. It is used to protect core static webpages. By caching pages and locking access requests, it protects your website from being affected by malicious tampering with your real server pages. In addition, you can also configure tamper protection rules as needed.
Overview
With the tamper protection feature, you can add protection rules to protect core webpages from being tampered with as needed. You can refresh the protected pages, during which WAF will update them to ensure that they are the same as those on the real server. Moreover, you can also choose whether to retain rule hit logs to analyze hit conditions.
Note:CLB WAF doesn't support the tamper protection feature. For more information on detailed specifications, see Billing Overview.
Prerequisites
You have added a protected domain name to SaaS WAF, and ensured the domain name is in normal protection.
Adding Rules
- Log in to the WAF console and select Configuration Center > Basic Security on the left sidebar.
- On the basic security page, select the target domain name in the top-left corner and click Web tamper protection.
- On the tamper protection page, click Add rule, and the rule adding window will pop up.
- In the pop-up window, configure relevant fields and click OK.
Field description:
- Rule name: Tamper protection rule name of up to 50 characters. You can search for rules by name in attack logs.
- Page path: Path of the page to be protected from tampering. You need to enter a specific URL rather than a path.
Note:
- The specified page is limited to static resources such as .html, .shtml, .txt, .js, .css, .jpg, and .png.
- After the rule is added, when a user accesses this page for the first time, WAF will cache the page, and subsequent access requests will be directed to the WAF-cached page.
- After the tamper protection rule is added, it will be enabled by default.
Searching Rules
- On the basic security page, select the target domain name in the top-left corner and click Tamper Protection.
- On the tamper protection page, click the search box to filter rules by keywords such as rule ID, rule name, and protection path.
Editing Rules
- On the basic security page, select the target domain name in the top-left corner and click Web tamper protection.
- On the tamper protection page, select the target rule, click Edit in the Operation column, and the rule editing window will pop up.
- In the pop-up window, modify relevant parameters and click Save.
- After the protected page is updated, click Refresh to cache the updated page to WAF.
Deleting Rules
- On the basic security page, select the target domain name in the top-left corner and click Web tamper protection.
- On the tamper protection page, select the target rule, click Delete in the Operation column, and the deletion confirmation window will pop up.
- In the pop-up window, click Delete.
Note:
Once deleted, it cannot be restored and takes effect only after being added again.
Yes
No
Was this page helpful?