The invention relates to a Web attack protection method, which comprises the following steps that for each access request, at least one of the following protection combinations is provided: A, a blacklist protection sub flow process is firstly executed, and then, a white list protection sub flow process is executed; B, the blacklist protection sub flow process is executed, and meanwhile, the white list protection sub flow process is executed for the mirror flow rate of the access request; C, whether a URI (uniform resource identifier) of the access request is in a URI library sufficiently learning the white list or not is judged, if so, the white process protection sub flow process is executed on the access request, and if not, the blacklist protection sub flow process is executed for the access request, wherein in each combination, after the execution of the blacklist protection sub flow process on the access request for each access request, the white list learning sub flow process is executed, and the white list is learned by using the URI in the access request as the unit.