AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/waf-js-challenge-api.md

Summary

Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout the document to clarify relationship between protection packs and web ACLs

Security assessment

The changes are purely terminological clarifications without introducing new security concepts or addressing vulnerabilities. The updates standardize references to web ACL configurations but don't alter security guidance or reveal new security implications.

Diff

diff --git a/waf/latest/developerguide/waf-js-challenge-api.md b/waf/latest/developerguide/waf-js-challenge-api.md
index fcfb66250..00cbf9a61 100644
--- a//waf/latest/developerguide/waf-js-challenge-api.md
+++ b//waf/latest/developerguide/waf-js-challenge-api.md
@@ -29 +29 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA
-    4. In the tab, select the protection pack or web ACL that you want to integrate with. The protection pack or web ACL list includes only protection pack or web ACLs that use the `AWSManagedRulesACFPRuleSet` managed rule group, the `AWSManagedRulesATPRuleSet` managed rule group, or the targeted protection level of the `AWSManagedRulesBotControlRuleSet` managed rule group. 
+    4. In the tab, select the protection pack (web ACL) that you want to integrate with. The protection pack (web ACL) list includes only protection packs (web ACLs) that use the `AWSManagedRulesACFPRuleSet` managed rule group, the `AWSManagedRulesATPRuleSet` managed rule group, or the targeted protection level of the `AWSManagedRulesBotControlRuleSet` managed rule group. 
@@ -33 +33 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA
-    6. In your application page code, in the `<head>` section, insert the script tag that you copied for the protection pack or web ACL. This inclusion causes your client application to automatically retrieve a token in the background on page load. 
+    6. In your application page code, in the `<head>` section, insert the script tag that you copied for the protection pack (web ACL). This inclusion causes your client application to automatically retrieve a token in the background on page load. 
@@ -36 +36 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA
-            <script type="text/javascript" src="protection pack or web ACL integration URL/challenge.js” defer></script>
+            <script type="text/javascript" src="protection pack (web ACL) integration URL/challenge.js” defer></script>
@@ -41 +41 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch
-  2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the protection pack or web ACL. To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). 
+  2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the protection pack (web ACL). To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). 
@@ -45 +45 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch
-  4. **Add token verification in your protection pack or web ACL** – Add at least one rule to your protection pack or web ACL that checks for a valid challenge token in the web requests that your client sends. You can use rule groups that check and monitor challenge tokens, like the targeted level of the Bot Control managed rule group, and you can use the Challenge rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). 
+  4. **Add token verification in your protection pack (web ACL)** – Add at least one rule to your protection pack (web ACL) that checks for a valid challenge token in the web requests that your client sends. You can use rule groups that check and monitor challenge tokens, like the targeted level of the Bot Control managed rule group, and you can use the Challenge rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). 
@@ -47 +47 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch
-The protection pack or web ACL additions verify that requests to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired token pass the Challenge inspection and do not send another silent challenge to your client. 
+The protection pack (web ACL) additions verify that requests to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired token pass the Challenge inspection and do not send another silent challenge to your client.