AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/waf-js-captcha-api.md

Summary

Added note about new console experience and updated references from 'web ACL' to 'protection pack or web ACL' in CAPTCHA configuration documentation

Security assessment

The changes expand documentation for CAPTCHA integration to include 'protection packs' alongside web ACLs, indicating enhanced security configuration options. No specific security vulnerability is addressed, but it documents security-related features.

Diff

diff --git a/waf/latest/developerguide/waf-js-captcha-api.md b/waf/latest/developerguide/waf-js-captcha-api.md
index 48ad7f0fc..0273be75e 100644
--- a//waf/latest/developerguide/waf-js-captcha-api.md
+++ b//waf/latest/developerguide/waf-js-captcha-api.md
@@ -4,0 +5,4 @@
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -35 +39 @@ The CAPTCHA script also automatically loads the intelligent threat integration s
-  2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the web ACL. To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). 
+  2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the protection pack or web ACL. To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). 
@@ -43 +47 @@ The CAPTCHA implementation integrates with the intelligent threat integration AP
-  5. **Add token verification in your web ACL** – Add at least one rule to your web ACL that checks for a valid CAPTCHA token in the web requests that your client sends. You can use the CAPTCHA rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). 
+  5. **Add token verification in your protection pack or web ACL** – Add at least one rule to your protection pack or web ACL that checks for a valid CAPTCHA token in the web requests that your client sends. You can use the CAPTCHA rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). 
@@ -45 +49 @@ The CAPTCHA implementation integrates with the intelligent threat integration AP
-The web ACL additions verify that requests going to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired CAPTCHA token pass the CAPTCHA rule action inspection and do not present your end user with another CAPTCHA puzzle. 
+The protection pack or web ACL additions verify that requests going to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired CAPTCHA token pass the CAPTCHA rule action inspection and do not present your end user with another CAPTCHA puzzle.