Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Azure Web Application Firewall JavaScript challenge is currently in PREVIEW. See the Supplemental Terms of Use for Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Azure Web Application Firewall (WAF) on Azure Front Door offers a JavaScript challenge feature as one of the mitigation options for advanced bot protection. It's available on the Azure Front Door premium version as an action in the custom rule set and the Bot Manager 1.x ruleset.
The JavaScript challenge is an invisible web challenge used to distinguish between legitimate users and bots. Malicious bots fail the challenge, which protects web applications. In addition, the JavaScript challenge is beneficial as it reduces friction for legitimate users. This is because it doesn't require any human intervention.
When the JS Challenge is active on Azure WAF and a client's HTTP(s) request matches a specific rule, the client is shown a Microsoft JS challenge page. The user sees this page for a few seconds while the user’s browser computes the challenge. The client's browser must successfully compute a JavaScript challenge on this page to receive validation from Azure WAF. When the computation succeeds, WAF validates the request as a nonbot client and runs the rest of the WAF rules. Requests that fail to successfully compute the challenge are blocked.
Here's an example JavaScript challenge page:
The WAF policy setting defines the JavaScript challenge cookie validity lifetime in minutes. The user is challenged after the lifetime expires. The lifetime is an integer between 5 and 1440 and the default is 30 minutes. The JavaScript challenge cookie name is afd_azwaf_jsclearance.
Note
The JavaScript challenge expiration cookie is injected into the user’s browser after successfully completing the challenge.
- AJAX and API calls aren't supported.
- If the first call that receives a JavaScript challenge has a POST body size greater than 128 KB, it blocks it. Additionally, challenges for non-HTML resources embedded in a page aren't supported. For example images, css, js, and so on. However, if there's a prior successful JavaScript challenge request, then the previous limitations are removed.
- The challenge isn't supported on Microsoft Internet Explorer. The challenge is supported on the latest versions of the Microsoft Edge, Chrome, Firefox, and Safari web browsers.
- Cross-origin resource sharing (CORS) requests result in a challenge loop. If you visit a page that triggers the JavaScript challenge action from a domain that isn't the same as the domain running the JavaScript challenge, you're challenged regardless of prior challenge passes.
- If one IP address receives the JavaScript challenge and a different IP address solves it, the computation result becomes invalid, potentially causing a challenge loop.