Types of token labels in Amazon WAF
This section describes the labels that Amazon WAF token management adds to web requests. For general information about labels, see Web request labeling in Amazon WAF.
When you use any of the Amazon WAF bot or fraud control managed rule groups, the rule groups use Amazon WAF token management to inspect the web request tokens and apply token labeling to the requests. For information about the managed rule groups, see Amazon WAF Fraud Control account creation fraud prevention (ACFP) rule group, Amazon WAF Fraud Control account takeover prevention (ATP) rule group, and Amazon WAF Bot Control rule group .
Note
Amazon WAF applies token labels only when you use one of these intelligent threat mitigation managed rule groups.
Token management can add the following labels to web requests.
Client session label
The label awswaf:managed:token:id:
contains a unique identifier that Amazon WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using. identifier
Note
Amazon WAF doesn't report Amazon CloudWatch metrics for this label.
Browser fingerprint label
The label awswaf:managed:token:fingerprint:
contains a
robust browser fingerprint identifier that Amazon WAF token management computes from various client browser signals.
This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.fingerprint-identifier
Note
Amazon WAF doesn't report Amazon CloudWatch metrics for this label.
Token status labels: Label namespace prefixes
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
awswaf:managed:token:
– Used to report the general status of the token and to report on the status of the token's challenge information.awswaf:managed:captcha:
– Used to report on the status of the token's CAPTCHA information.
Token status labels: Label names
Following the prefix, the rest of the label provides detailed token status information:
accepted
– The request token is present and contains the following:A valid challenge or CAPTCHA solution.
An unexpired challenge or CAPTCHA timestamp.
A domain specification that's valid for the web ACL.
Example: The label
awswaf:managed:token:accepted
indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.-
rejected
– The request token is present but doesn't meet the acceptance criteria.Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
rejected:not_solved
– The token is missing the challenge or CAPTCHA solution.rejected:expired
– The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times.rejected:domain_mismatch
– The token's domain isn't a match for your web ACL's token domain configuration.rejected:invalid
– Amazon WAF couldn't read the indicated token.
Example: The labels
awswaf:managed:captcha:rejected
andawswaf:managed:captcha:rejected:expired
indicate that the request was rejected because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL. -
absent
– The request doesn't have the token or the token manager couldn't read it.Example: The label
awswaf:managed:captcha:absent
indicates that the request doesn't have the token.