AWS WAF CAPTCHA with integration and without integration

0

Hi everyone,

I understand that I can use AWS WAF captcha feature with or without integrating with my application. What I do not fully understand is the differences between using captcha with integration and without integration. Why would I want to integrate captcha with my application if I can simply define a rule in AWS console? As far as I know, the work flow is almost the same (handled by my app vs AWS) and the outcome is the same.

Thank you so much for your time. I really appreciate it.

1 Answer
2
Accepted Answer

Hello.

If you do not integrate CAPTCHA authentication, you will need to perform processing on the application side so that the accessing user is redirected to another page when authentication is complete.
If you integrate CAPTCHA authentication, this part of redirection will not be necessary on the application side.
This setting is advantageous for applications that do not require reloading, such as SPA sites created with React etc.
https://aws.amazon.com/about-aws/whats-new/2023/04/aws-waf-captcha-javascript-api-support/?nc1=h_ls

AWS WAF Captcha redirected customers to a different page for solving the Captcha problem. With this release, developers can improve the Captcha customer experience by embedding Captcha problems in their existing webpages, including Single Page applications (SPAs).

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
  • I see. Does it mean the users will be allowed to solve the Captcha problem on the same web page (e.g. login page)? For example, with integration, when users access the login page, they are asked to solve the Captcha problem on the same login page.

    Without integration, the flow will look like this. browse login page --> redirected to Captcha page --> redirected to login page again after solving Captcha

    Is that correct?

  • browse login page --> redirected to Captcha page --> redirected to login page again after solving Captcha

    This part will be processed as follows. Perform CAPTCHA authentication when logging in on the login page --> redirected to login page again after solving Captcha
    I think it's easier to understand what happens on the browser around here by looking at the "Network" tab in the browser's developer tools. In fact, you can see that when you access a web page that requires CAPTCHA authentication, a new page is loaded after authentication is completed. If you have CAPTCHA authentication integration enabled, you will notice that new pages will not load after authentication is complete.

  • Thank you so much, Riku. Can I also use Captcha or Challenge with POST requests? What I am trying to do is when users click submit in the login form, they will be presented with a Captcha or a Challenge. Only if they pass the Captcha or Challenge, their submit login attempt will be sent to the server.

  • I think it needs to be put in before running POST. In other words, you need to set it to the GET request of the screen that sends the POST request instead of setting it to the POST request. https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-and-challenge-best-practices.html

    Configure your Challenge and CAPTCHA use so that AWS WAF only sends CAPTCHA puzzles and silent challenges in response to GET text/html requests. You can't run either the puzzle or the challenge in response to POST requests, Cross-Origin Resource Sharing (CORS) preflight OPTIONS requests, or any other non-GET request types. Browser behavior for other request types can vary and might not be able to handle the interstitials properly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions