Configurations for CAPTCHA, challenge, and tokens - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configurations for CAPTCHA, challenge, and tokens

You can configure options in your web ACL for the rules that use the CAPTCHA or Challenge rule actions and for the application integration SDKs that manage silent client challenges for Amazon WAF managed protections.

These features mitigate bot activity by challenging end users with CAPTCHA puzzles and by presenting client sessions with silent challenges. When the client responds successfully, Amazon WAF provides a token for them to use in their web request, timestamped with the last successful puzzle and challenge responses. For more information, see Amazon WAF intelligent threat mitigation.

In your web ACL configuration, you can configure how Amazon WAF manages these tokens:

  • CAPTCHA and challenge immunity times – These specify how long a CAPTCHA or challenge timestamp remains valid. The web ACL settings are inherited by all rules that don't have their own immunity time settings configured and also by the application integration SDKs. For more information, see Timestamp expiration: Amazon WAF token immunity times.

  • Token domains – By default, Amazon WAF accepts tokens only for the domain of the resource that the web ACL is associated with. If you configure a token domain list, Amazon WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see Amazon WAF web ACL token domain list configuration.