Stay organized with collections
Save and categorize content based on your preferences.
This document provides an overview of reCAPTCHA for WAF and its
integration with web application firewall (WAF) service providers.
reCAPTCHA provides a plugin that is deployed as a service at
the WAF layer. It enables WAFs to help you protect your
site from spam and abuse. It uses advanced risk analysis techniques to
distinguish between legitimate and fraudulent requests.
reCAPTCHA for WAF integration
reCAPTCHA provides a plugin that is responsible for
bot detection at the WAF layer to detect, stop, or manage automated
activity accessing your websites or services.
reCAPTCHA for WAF integrates with the following WAF service
providers:
To control access to the applications or services, WAF service providers use a
set of rules called policies that filter traffic based on conditions. Conditions
include IP address, IP range, region code, or request headers of an incoming
request. Cloud Armor uses security policies
and third-party WAF service providers use
reCAPTCHA firewall policies
(firewall policies).
reCAPTCHA for WAF interacts with WAF service providers
to do the following:
The end user triggers an application action protected by
reCAPTCHA for WAF.
The reCAPTCHA JavaScript client issues an encrypted token that contains
the reCAPTCHA's assessment and the associated attributes.
The reCAPTCHA token is attached to the follow-up requests.
The WAF service provider deciphers this token. Based on the token
attributes and configured security rules or firewall policy rules, the WAF
service provider allows, blocks, or redirects the incoming requests to
an interstitial challenge page.
The following diagram is a simplified graphical representation of how
the WAF service provider interacts with reCAPTCHA for WAF to
enforce frictionless assessment:
When to use reCAPTCHA for WAF integration
Use this integration when your application is already behind a WAF and you want
to decouple reCAPTCHA policy changes from frontend and backend code.
Benefits
The reCAPTCHA for WAF integration
provides the following benefits:
The backend server code does not need to be modified as the integration occurs at the WAF layer.
Frontend JavaScript does not need to be modified as reCAPTCHA for WAF integrations can dynamically inject a JavaScript client integration (for session-token and challenge-page keys) or no client at all is needed (for express keys).
Bot traffic is mitigated at the edge of your network, reducing load on your protected backend.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Integration with WAF service providers overview\n\nThis document provides an overview of reCAPTCHA for WAF and its\nintegration with web application firewall (WAF) service providers.\n\nreCAPTCHA provides a plugin that is deployed as a service at\nthe WAF layer. It enables WAFs to help you protect your\nsite from spam and abuse. It uses advanced risk analysis techniques to\ndistinguish between legitimate and fraudulent requests.\n\nreCAPTCHA for WAF integration\n-----------------------------\n\nreCAPTCHA provides a plugin that is responsible for\nbot detection at the WAF layer to detect, stop, or manage automated\nactivity accessing your websites or services.\n\nreCAPTCHA for WAF integrates with the following WAF service\nproviders:\n\n- Google Cloud's built in WAF: [Google Cloud Armor](/armor/docs/cloud-armor-overview)\n- Third-party WAF service providers: [Fastly Edge Compute](https://www.fastly.com/products/edge-compute) and [Cloudflare Workers](https://developers.cloudflare.com/workers/)\n\nTo control access to the applications or services, WAF service providers use a\nset of rules called policies that filter traffic based on conditions. Conditions\ninclude IP address, IP range, region code, or request headers of an incoming\nrequest. Cloud Armor uses [security policies](/armor/docs/security-policy-overview)\nand third-party WAF service providers use\n[reCAPTCHA firewall policies](/recaptcha/docs/firewall-policies-overview)\n(firewall policies).\n\nreCAPTCHA for WAF interacts with WAF service providers\nto do the following:\n\n1. The end user triggers an application action protected by reCAPTCHA for WAF.\n2. The reCAPTCHA JavaScript client issues an encrypted token that contains the reCAPTCHA's assessment and the associated attributes.\n3. The reCAPTCHA token is attached to the follow-up requests.\n4. The WAF service provider deciphers this token. Based on the token\n attributes and configured security rules or firewall policy rules, the WAF\n service provider allows, blocks, or redirects the incoming requests to\n an interstitial challenge page.\n\n The following diagram is a simplified graphical representation of how\n the WAF service provider interacts with reCAPTCHA for WAF to\n enforce frictionless assessment:\n\n\nWhen to use reCAPTCHA for WAF integration\n-----------------------------------------\n\nUse this integration when your application is already behind a WAF and you want\nto decouple reCAPTCHA policy changes from frontend and backend code.\n\nBenefits\n--------\n\nThe reCAPTCHA for WAF integration\nprovides the following benefits:\n\n- The backend server code does not need to be modified as the integration occurs at the WAF layer.\n- Frontend JavaScript does not need to be modified as reCAPTCHA for WAF integrations can dynamically inject a JavaScript client integration (for session-token and challenge-page keys) or no client at all is needed (for express keys).\n- Bot traffic is mitigated at the edge of your network, reducing load on your protected backend.\n- [Google Cloud Armor security policies](/armor/docs/security-policy-overview) or [reCAPTCHA firewall policy rules](/recaptcha/docs/firewall-policy-overview) simplify access rules to your protected application.\n\nWhat's next\n-----------\n\n- Learn about the [features](/recaptcha/docs/waf-features) offered by reCAPTCHA for WAF."]]