AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2026-05-28 · Documentation low

File: waf/latest/developerguide/waf-bot-control-false-positives.md

Summary

Added warning about non-standard HTTP libraries triggering SignalNonBrowserUserAgent rule, with testing recommendations.

Security assessment

Documents false-positive avoidance for security feature (Bot Control) but doesn't indicate a specific security vulnerability fix.

Diff

diff --git a/waf/latest/developerguide/waf-bot-control-false-positives.md b/waf/latest/developerguide/waf-bot-control-false-positives.md
index 7e944f8f5..f109ecc0a 100644
--- a//waf/latest/developerguide/waf-bot-control-false-positives.md
+++ b//waf/latest/developerguide/waf-bot-control-false-positives.md
@@ -35,0 +36,4 @@ Situations where you might encounter false positives include the following:
+###### Important
+
+If your mobile app uses a non-standard HTTP library, or if users access your site through in-app browsers (such as links opened from social media apps), these clients may trigger the `SignalNonBrowserUserAgent` rule. Standard native mobile frameworks are excluded from this rule, but other non-browser user agents are not. Plan to test and add exceptions before enabling Bot Control in block mode. For an example, see [Bot Control example: Creating an exception for a blocked user agent](./waf-bot-control-example-user-agent-exception.html).
+