AWS waf documentation change
Summary
Updated metric descriptions for CaptchaRequests and ChallengeRequests to clarify token validation scope (expired/invalid/absent tokens now explicitly mentioned).
Security assessment
Provides clearer documentation about security feature telemetry but does not indicate a security vulnerability. Enhances understanding of security control metrics.
Diff
diff --git a/waf/latest/developerguide/waf-metrics.md b/waf/latest/developerguide/waf-metrics.md index 20dcce795..032aff0c4 100644 --- a//waf/latest/developerguide/waf-metrics.md +++ b//waf/latest/developerguide/waf-metrics.md @@ -50 +50 @@ AWS WAF core metrics Metric | Description -`CaptchaRequests` | The number of web requests that had CAPTCHA controls applied. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether they have a valid CAPTCHA token. Valid statistics: Sum +`CaptchaRequests` | The number of web requests that had CAPTCHA controls applied. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether the CAPTCHA token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum @@ -54 +54 @@ AWS WAF core metrics Metric | Description -`ChallengeRequests` | The number of web requests that had challenge controls applied. Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether they have a valid challenge token. Valid statistics: Sum +`ChallengeRequests` | The number of web requests that had challenge controls applied. Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether the challenge token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum