AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/waf-tokens-labeling.md

Summary

Updated token rejection labels documentation to include protection pack references and added console experience note

Security assessment

Changes refine documentation about security labeling mechanisms for rejected tokens, including domain validation references. While related to security monitoring, there's no evidence of addressing a specific security vulnerability.

Diff

diff --git a/waf/latest/developerguide/waf-tokens-labeling.md b/waf/latest/developerguide/waf-tokens-labeling.md
index a0078c816..50cdf42f4 100644
--- a//waf/latest/developerguide/waf-tokens-labeling.md
+++ b//waf/latest/developerguide/waf-tokens-labeling.md
@@ -4,0 +5,4 @@
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -56 +60 @@ Following the prefix, the rest of the label provides detailed token status infor
-    * A domain specification that's valid for the web ACL. 
+    * A domain specification that's valid for the protection pack or web ACL. 
@@ -66 +70 @@ Along with the rejected label, token management adds a custom label namespace an
-    * `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your web ACL's configured token immunity times. 
+    * `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack or web ACL's configured token immunity times. 
@@ -68 +72 @@ Along with the rejected label, token management adds a custom label namespace an
-    * `rejected:domain_mismatch` – The token's domain isn't a match for your web ACL's token domain configuration. 
+    * `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack or web ACL's token domain configuration. 
@@ -72 +76 @@ Along with the rejected label, token management adds a custom label namespace an
-Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the web ACL.
+Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack or web ACL.