Client application integrations in Amazon WAF
This section explains how to use the intelligent threat integration APIs and JavaScript CAPTCHA integration API with your Amazon WAF features.
Use Amazon WAF client application integration APIs to couple client-side protections with your Amazon server-side web ACL protections, to help verify that the client applications that send web requests to your protected resources are the intended clients and that your end users are human beings.
Use the client integrations to manage silent browser challenges and CAPTCHA puzzles, obtain tokens with proof of successful browser and end user responses, and to include these tokens in requests to your protected endpoints. For general information about Amazon WAF tokens, see Token use in Amazon WAF intelligent threat mitigation.
Combine your client integrations with web ACL protections that require valid tokens for access to your resources. You can use rule groups that check and monitor challenge tokens, like the ones listed in the next section, at Intelligent threat integration and Amazon Managed Rules, and you can use the CAPTCHA and Challenge rule actions to check, as described in CAPTCHA and Challenge in Amazon WAF.
Amazon WAF provides two levels of integration for JavaScript applications, and one for mobile applications:
-
Intelligent threat integration – Verify the client application and provide Amazon token acquisition and management. This is similar to the functionality provided by the Amazon WAF Challenge rule action. This functionality fully integrates your client application with the
AWSManagedRulesACFPRuleSet
managed rule group, theAWSManagedRulesATPRuleSet
managed rule group, and the targeted protection level of theAWSManagedRulesBotControlRuleSet
managed rule group.The intelligent threat integration APIs use the Amazon WAF silent browser challenge to help ensure that login attempts and other calls to your protected resource are only allowed after the client has acquired a valid token. The APIs manage token authorization for your client application sessions and gather information about the client to help determine whether it's being operated by a bot or by a human being.
Note
This is available for JavaScript and for Android and iOS mobile applications.
-
CAPTCHA integration – Verify end users with customized CAPTCHA puzzle that you manage in your application. This is similar to the functionality provided by the Amazon WAF CAPTCHA rule action, but with added control over the puzzle placement and behavior.
This integration leverages the JavaScript intelligent threat integration to run silent challenges and provide Amazon WAF tokens to the customer's page.
Note
This is available for JavaScript applications.