CAPTCHA and Challenge actions in AWS WAF

You can configure your AWS WAF rules to run a CAPTCHA or Challenge action against web requests that match your rule's inspection criteria. You can also program your JavaScript client applications to run CAPTCHA puzzles and browser challenges locally.

CAPTCHA requires the end user to solve a CAPTCHA puzzle to prove that a human being is sending the request.

The CAPTCHA rule action is similar to the CAPTCHA puzzle in the client application integration APIs. You can customize the behavior and placement of the puzzle when you program it into your client application. For more information, see AWS WAF client application integration.
Challenge runs a silent challenge that requires the client session to verify that it's a browser, and not a bot. The verification runs in the background without involving the end user. This is a good option for verifying clients that you suspect of being invalid without negatively impacting the end user experience with a CAPTCHA puzzle.

The Challenge rule action is similar to the challenge run by the client intelligent threat integration APIs, described at AWS WAF client application integration.

Note

You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see AWS WAF Pricing.

After the user or client responds successfully, the script running the CAPTCHA or challenge automatically resubmits the original web request with the updated token.

For a description of rule action settings, see Rule action.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Code for the Mobile SDK

What is a CAPTCHA puzzle?