Merge pull request #300262 from halkazwini/waf-jsc

v-shils · web-flow · commit 02d63e44e55f · 2025-06-13T12:40:29.000-07:00
WAF JSC tweaks
diff --git a/articles/web-application-firewall/waf-javascript-challenge.md b/articles/web-application-firewall/waf-javascript-challenge.md
@@ -1,17 +1,16 @@
 ---
-title: Azure Web Application Firewall JavaScript challenge (preview) overview
+title: Web Application Firewall JavaScript Challenge (Preview)
 description: This article is an overview of the Azure Web Application Firewall JavaScript challenge feature.
-services: web-application-firewall
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-web-application-firewall
 ms.custom: devx-track-js
-ms.date: 06/12/2024
+ms.date: 06/13/2025
 ms.topic: concept-article
 #customer intent: As a cloud network architect, I want to understand the Azure Web Application Firewall JavaScript challenge feature to determine if I want to deploy it.
 ---
 
-# Azure Web Application Firewall JavaScript challenge (preview) overview
+# Azure Web Application Firewall JavaScript challenge (preview)
 
 > [!IMPORTANT]
 > Azure Web Application Firewall JavaScript challenge is currently in PREVIEW.
@@ -23,13 +22,12 @@ The JavaScript challenge is an invisible web challenge used to distinguish betwe
 
 ## How it works
 
- When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
+When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
 
 Cross-origin resource sharing (CORS) requests are challenged on each access attempt. So if a client accesses a page that triggers the JavaScript challenge from a domain different from the domain hosting the challenge, the client faces the challenge again even if the client previously passed the challenge.
 
 In addition, if a client solves the JavaScript challenge and then the client’s IP address changes, the challenge is issued again.
 
-
 Here's an example JavaScript challenge page:
 
 :::image type="content" source="media/waf-javascript-challenge/javascript-challenge-page.png" alt-text="Screenshot showing the JavaScript challenge page.":::
@@ -43,11 +41,18 @@ The WAF policy setting defines the JavaScript challenge cookie validity lifetime
 
 ## Limitations
 
-- AJAX and API calls aren't supported.
-- If the first call that receives a JavaScript challenge has a POST body size greater than 128 KB, it blocks it. Additionally, challenges for non-HTML resources embedded in a page aren't supported. For example images, css, js, and so on. However, if there's a prior successful JavaScript challenge request, then the previous limitations are removed.
-- The challenge isn't supported on Microsoft Internet Explorer. The challenge is supported on the latest versions of the Microsoft Edge, Chrome, Firefox, and Safari web browsers.
-- The JavaScript challenge action on Web Application Firewall on Application Gateway isn't supported for *Rate Limit* type custom rules during the public preview.
+- **AJAX and API calls aren't supported**: JavaScript challenge doesn't apply to AJAX and API requests.
+
+- **POST body size restriction**: The first request that triggers a JavaScript challenge is blocked if its POST body exceeds 128 KB.
+
+- **Non-HTML embedded resources**: JavaScript challenge is designed for HTML resources. Challenges for non-HTML resources embedded in a page, such as images, CSS, JavaScript files, or similar resources, aren't supported. However, if there was a prior successful JavaScript challenge request, those limitations are lifted. 
+
+- **Browser compatibility**: JavaScript challenge isn't supported on Microsoft Internet Explorer. It's compatible with the latest versions of Microsoft Edge, Chrome, Firefox, and Safari web browsers.
+
+- **Rate limit isn't supported**: The JavaScript challenge action on Application Gateway isn't supported for *Rate Limit* type custom rules during the public preview.
 
 ## Related content
 
-- [Azure WAF’s Bot Manager 1.1 and JavaScript Challenge (Preview): Navigating the Bot Threat Terrain](https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-s-bot-manager-1-1-and-javascript-challenge-preview/ba-p/4249652)
+- [Front Door Web Application Firewall CAPTCHA](./afds/captcha-challenge.md)
+- [Configure a custom response for Front Door WAF](./afds/waf-front-door-configure-custom-response-code.md)
+- [Azure WAF’s Bot Manager 1.1 and JavaScript Challenge: Navigating the Bot Threat Terrain](https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-s-bot-manager-1-1-and-javascript-challenge-preview/ba-p/4249652)
