You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/waf-javascript-challenge.md
+14-9Lines changed: 14 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,11 @@
1
1
---
2
-
title: Azure Web Application Firewall JavaScript challenge (preview) overview
2
+
title: Web Application Firewall JavaScript Challenge (Preview)
3
3
description: This article is an overview of the Azure Web Application Firewall JavaScript challenge feature.
4
-
services: web-application-firewall
5
4
author: halkazwini
6
5
ms.author: halkazwini
7
6
ms.service: azure-web-application-firewall
8
7
ms.custom: devx-track-js
9
-
ms.date: 06/12/2024
8
+
ms.date: 05/22/2025
10
9
ms.topic: concept-article
11
10
#customer intent: As a cloud network architect, I want to understand the Azure Web Application Firewall JavaScript challenge feature to determine if I want to deploy it.
12
11
---
@@ -23,13 +22,12 @@ The JavaScript challenge is an invisible web challenge used to distinguish betwe
23
22
24
23
## How it works
25
24
26
-
When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
25
+
When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
27
26
28
27
Cross-origin resource sharing (CORS) requests are challenged on each access attempt. So if a client accesses a page that triggers the JavaScript challenge from a domain different from the domain hosting the challenge, the client faces the challenge again even if the client previously passed the challenge.
29
28
30
29
In addition, if a client solves the JavaScript challenge and then the client’s IP address changes, the challenge is issued again.
31
30
32
-
33
31
Here's an example JavaScript challenge page:
34
32
35
33
:::image type="content" source="media/waf-javascript-challenge/javascript-challenge-page.png" alt-text="Screenshot showing the JavaScript challenge page.":::
@@ -43,11 +41,18 @@ The WAF policy setting defines the JavaScript challenge cookie validity lifetime
43
41
44
42
## Limitations
45
43
46
-
- AJAX and API calls aren't supported.
47
-
- If the first call that receives a JavaScript challenge has a POST body size greater than 128 KB, it blocks it. Additionally, challenges for non-HTML resources embedded in a page aren't supported. For example images, css, js, and so on. However, if there's a prior successful JavaScript challenge request, then the previous limitations are removed.
48
-
- The challenge isn't supported on Microsoft Internet Explorer. The challenge is supported on the latest versions of the Microsoft Edge, Chrome, Firefox, and Safari web browsers.
49
-
- The JavaScript challenge action on Web Application Firewall on Application Gateway isn't supported for *Rate Limit* type custom rules during the public preview.
44
+
-**AJAX and API calls aren't supported**: JavaScript challenge doesn't apply to AJAX and API requests.
45
+
46
+
-**POST body size restriction**: The first request that triggers a JavaScript challenge will be blocked if its POST body exceeds 128 KB. Additionally,
47
+
48
+
-**Non-HTML embedded resources**: JavaScript challenge is designed for HTML resources. Challenges for non-HTML resources embedded in a page, such as images, CSS, JavaScript files, or similar resources, aren't supported. However, if there was a prior successful JavaScript challenge request, those limitations are lifted.
49
+
50
+
-**Browser compatibility**: JavaScript challenge isn't supported on Microsoft Internet Explorer. It's compatible with the latest versions of Microsoft Edge, Chrome, Firefox, and Safari web browsers.
51
+
52
+
-**Rate Limit**: The JavaScript challenge action on Application Gateway isn't supported for *Rate Limit* type custom rules during the public preview.
50
53
51
54
## Related content
52
55
56
+
-[Front Door Web Application Firewall CAPTCHA](./afds/captcha-challenge.md)
57
+
-[Configure a custom response for Front Door WAF](./afds/waf-front-door-configure-custom-response-code.md)
53
58
-[Azure WAF’s Bot Manager 1.1 and JavaScript Challenge (Preview): Navigating the Bot Threat Terrain](https://techcommunity.microsoft.com/t5/azure-network-security-blog/azure-waf-s-bot-manager-1-1-and-javascript-challenge-preview/ba-p/4249652)
0 commit comments