This document provides an overview of reCAPTCHA for WAF and its integration with web application firewall (WAF) service providers.
reCAPTCHA provides a plugin that is deployed as a service at the WAF layer. It enables WAFs to help you protect your site from spam and abuse. It uses advanced risk analysis techniques to distinguish between legitimate and fraudulent requests.
reCAPTCHA for WAF integration
reCAPTCHA provides a plugin that is responsible for bot detection at the WAF layer to detect, stop, or manage automated activity accessing your websites or services.
reCAPTCHA for WAF integrates with the following WAF service providers:
- Google Cloud's built in WAF: Google Cloud Armor
- Third-party WAF service providers: Fastly Edge Compute and Cloudflare Workers
To control access to the applications or services, WAF service providers use a set of rules called policies that filter traffic based on conditions. Conditions include IP address, IP range, region code, or request headers of an incoming request. Google Cloud Armor uses security policies and third-party WAF service providers use reCAPTCHA firewall policies (firewall policies).
reCAPTCHA for WAF interacts with WAF service providers to do the following:
- The end user triggers an application action protected by reCAPTCHA for WAF.
- The reCAPTCHA JavaScript client issues an encrypted token that contains the reCAPTCHA's assessment and the associated attributes.
- The reCAPTCHA token is attached to the follow-up requests.
The WAF service provider deciphers this token. Based on the token attributes and configured security rules or firewall policy rules, the WAF service provider allows, blocks, or redirects the incoming requests to an interstitial challenge page.
The following diagram is a simplified graphical representation of how the WAF service provider interacts with reCAPTCHA for WAF to enforce frictionless assessment:
When to use reCAPTCHA for WAF integration
Use this integration when your application is already behind a WAF and you want to decouple reCAPTCHA policy changes from frontend and backend code.
Benefits
The reCAPTCHA for WAF integration provides the following benefits:
- The backend server code does not need to be modified as the integration occurs at the WAF layer.
- Frontend JavaScript does not need to be modified as reCAPTCHA for WAF integrations can dynamically inject a JavaScript client integration (for session-token and challenge-page keys) or no client at all is needed (for express keys).
- Bot traffic is mitigated at the edge of your network, reducing load on your protected backend.
- Google Cloud Armor security policies or reCAPTCHA firewall policy rules simplify access rules to your protected application.
What's next
- Learn about the features offered by reCAPTCHA for WAF.