Providing domains for use in the tokens - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Providing domains for use in the tokens

By default, when Amazon WAF creates a token, it uses the host domain of the resource that’s associated with the web ACL. You can provide additional domains for the tokens that Amazon WAF creates for the JavaScript APIs. To do this, configure the global variable window.awsWafCookieDomainList, with one or more token domains.

When Amazon WAF creates a token, it uses the most appropriate, shortest domain from among the combination of the domains in window.awsWafCookieDomainList and the host domain of the resource that’s associated with the web ACL.

Example settings: 

window.awsWafCookieDomainList = ['.aws.amazon.com']
window.awsWafCookieDomainList = ['.aws.amazon.com', 'abc.aws.amazon.com']

You can't use public suffixes in this list. For example, you can't use gov.au or co.uk as token domains in the list.

The domains that you specify in this list must be compatible with your other domains and domain configurations:

  • The domains must be ones that Amazon WAF will accept, based on the protected host domain and the token domain list that's configured for the web ACL. For more information, see Amazon WAF web ACL token domain list configuration.

  • If you use the JavaScript CAPTCHA API, at least one domain in your CAPTCHA API key must be an exact match for one of the token domains in window.awsWafCookieDomainList or it must be the apex domain of one of those token domains.

    For example, for the token domain mySubdomain.myApex.com, the API key mySubdomain.myApex.com is an exact match and the API key myApex.com is the apex domain. Either key matches the token domain.

    For more information about the API keys, see Managing API keys for the JS CAPTCHA API.

If you use the AWSManagedRulesACFPRuleSet managed rule group, you might configure a domain that matches the one in the account creation path that you provided to the rule group configuration. For more information about this configuration, see Adding the ACFP managed rule group to your web ACL.

If you use the AWSManagedRulesATPRuleSet managed rule group, you might configure a domain that matches the one in the login path that you provided to the rule group configuration. For more information about this configuration, see Adding the ATP managed rule group to your web ACL.