This document describes the information leakage protection feature of WAF. It can filter and then replace, mask, and block sensitive information (e.g., identity card/mobile/bank card numbers), keywords, and response codes returned by websites. This helps meet the requirements of data security protection and cybersecurity classified protection by setting leakage protection rules as needed.
Background
With the leakage protection feature, you can add protection rules to filter the content returned by websites as needed, such as identity card/mobile/bank card numbers. You can also customize keywords (regex is supported) to filter order numbers and addresses and completely or partially replace them. Moreover, you can block or trigger alarms for status codes other than 200 returned by websites to meet compliance requirements.
Note:
CLB WAF doesn't support the data leakage protection feature. For more information on detailed specifications, see Billing Overview.
Prerequisites
You have already added a protection domain in WAF (SaaS version), and the domain is in a normal protection state.
Adding a Rule
1. Log in to the WAF Console, select Configuration Center > Basic Security on the left sidebar.
2. On the basic security page, select the target domain name in the top-left corner, and click Information Leakage Prevention.
3. On the Information Leakage Prevention page, click Add Rule, and the rule adding window will pop up.
4. In the pop-up window, fill in the relevant fields and click OK after configuration.
Field Descriptions:
Rule Name: The name of the information leakage prevention rule, up to 50 characters. You can search for rules by name in attack logs.
Condition: Match condition for leakage prevention. Supports sensitive information, keywords, and response codes. Different types correspond to different matching content and action types as follows:
Match condition | Matching content | Matching actions |
Sensitive information | Identity card/mobile/bank card numbers | Alert, Replace all, Show the last 4 digits, Show the first 4 digits, and Block |
Keyword | Keyword and regex | Alert, Replace all, and Blcok |
Response code | 400, 403, 404, other 4XX codes, 500, 501, 502, 504, and other 5XX codes | Alert and Block |
Match content: The match content varies by match condition.
Defense Path: Specific path where the information needs to be protected from leakage. You can enter a directory or specific path as needed.
Action: Action to be executed after the match condition is hit. You can view the relevant hit information in attack logs.
5. Once the rule takes effect, it will begin protecting the sensitive information returned in your web pages as shown in the following example that performs the Replace action (demo content):
Before the protection is enabled
After the protection is enabled
Search rules
1. On the Basic Security Page, select the target domain name in the top-left corner, click Data leakage prevention.
2. On the Information Leakage Prevention page, click the search box to query rules using keywords such as "Rule ID" or "Rule Name".
Editing rule
1. On the Basic Security Page, select the target domain name in the top-left corner, click Data leakage prevention.
2. On the Information Leakage Prevention page, select the required rule, click Edit in the Actions column to pop up the rule editing window.
3. In the pop-up window, modify relevant parameters and click OK.
Delete Rule
1. On the Basic Security Page, select the target domain name in the top-left corner, click Data leakage prevention.
2. On the Information Leakage Prevention page, select the required rule, click Delete in the Actions column to pop up the confirmation window.
3. In the confirmation window, click OK to delete the rule.