Does your website use third-party services? Get GDPR compliant in minutes.

AWS WAF Captcha

What does AWS WAF Captcha do?

AWS WAF Captcha is the captcha and challenge feature of AWS WAF. It presents a visual or invisible challenge to visitors that match suspicious rules, then issues a signed token that the same browser reuses on subsequent requests.

AWS WAF Captcha is a fully managed challenge feature of AWS Web Application Firewall. When a WAF rule matches a request, the visitor is served a JavaScript challenge that can be invisible (Challenge action) or visual (Captcha action). On success, AWS WAF stores a signed token in a first party cookie so the user is not challenged again for a configurable duration. The feature integrates with CloudFront, Application Load Balancer, API Gateway and AppSync.

What AWS WAF Captcha does

AWS WAF Captcha runs a browser side challenge that checks for headless browsers, automated tools and replay attacks. It collects device signals (user agent, screen, language, time zone, basic browser APIs) and behaviour signals (mouse movements, accelerometer if available on mobile). The result is a signed JSON Web Token that is returned to the AWS WAF edge and forwarded with subsequent requests as the aws-waf-token cookie.

Cookies and data collected

The main cookie is aws-waf-token, set on your own domain as HttpOnly, Secure, SameSite=None. Its default lifetime is 5 minutes for Challenge and up to 1 day for Captcha, configurable by the administrator. AWS also processes the IP, user agent, the URL path, the challenge response, and the device fingerprint signals captured by the JavaScript runtime.

GDPR and ePrivacy implications

The captcha cookie can be considered strictly necessary under Article 5(3) ePrivacy because it directly secures the service requested by the user. Behavioural signals are personal data and rely on legitimate interest (Article 6(1)(f) GDPR) for fraud and bot prevention, with a documented balancing test. AWS is a processor under your DPA. Inform users in your privacy notice that AWS WAF Captcha is used.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data hosting and transfers

AWS WAF runs at the edge close to the user, with EU edge locations available. AWS as a corporate entity is based in the United States and operates the central control plane in US regions. AWS participates in the EU-US Data Privacy Framework and offers Standard Contractual Clauses. Document the transfer mechanism in your record of processing activities.

How to deploy it compliantly

Treat AWS WAF Captcha as a strictly necessary security tool: enable it by default without prior consent. Disclose it transparently in your privacy notice (purpose, signals, retention, AWS as processor, US transfer mechanism). Provide an accessible alternative for users who cannot complete the challenge. Keep the token lifetime short to minimise tracking and ensure the cookie is only set on the same first party domain.

GDPR consent category

Essential

Websites using AWS WAF Captcha must obtain user consent under GDPR regulations.

Legal basisLegitimate interest (Art. 6(1)(f) GDPR) for fraud and bot prevention, with documented balancing test; the captcha token cookie can be considered strictly necessary for security

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, EU-US Data Privacy Framework, EDPB Guidelines 5/2020 on consent

DPIA considerations

A DPIA can be useful when AWS WAF Captcha is deployed on consumer journeys where it could exclude legitimate users (signup, checkout, password reset). Document the signals collected (mouse, accelerometer, behaviour), the retention by AWS, the EU residency choice, and the appeal mechanism for users who fail the challenge.

Sample consent text

We use AWS WAF Captcha to protect this site from automated abuse. The captcha sets a small token cookie used to recognise you as a human for a few hours. It is strictly necessary for site security and is therefore active without prior consent.

Technical details

Tracking methodJavaScript challenge served by AWS WAF on the same origin or a CloudFront distribution, with first party signed cookie and signal collection (mouse, sensors)

Server locationAWS edge locations chosen by the customer, including EU regions; backend correlation in AWS us-east-1

Data transferred outside the EUAWS WAF Captcha is part of AWS WAF. The challenge is served from AWS edge close to the visitor, but Amazon Web Services Inc (US) operates the service and some telemetry is processed in the United States. Transfers rely on the EU-US Data Privacy Framework (AWS is certified) and on Standard Contractual Clauses with a Transfer Impact Assessment.

Third-party domains contacted

*.awswaf.com*.tokens.awswaf.com*.cloudfront.net

Cookies placed

Name	Type	Duration	Purpose
aws-waf-token	http_cookie	Up to 1 day	First party HttpOnly Secure JWT issued after a successful Challenge or Captcha that proves the browser is not automated.
aws-waf-challenge	http_cookie	Session	Short lived state cookie used during the Challenge interstitial to track that the visitor is in the middle of solving a challenge.

AWS WAF Captcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.

Get started free Scan your site

Frequently asked questions

What cookies does AWS WAF Captcha set?

The main cookie is aws-waf-token, a first party HttpOnly Secure cookie that stores the signed JWT issued after a successful Challenge or Captcha. Its default lifetime is 5 minutes for Challenge and up to 1 day for Captcha, configurable by the WAF administrator.

Does AWS WAF Captcha require GDPR consent?

Generally no. The aws-waf-token cookie is set for security and is considered strictly necessary under Article 5(3) ePrivacy. The behavioural signals are processed on the legal basis of legitimate interest in fraud and bot prevention. Inform users in your privacy notice rather than asking for consent.

What is the legal basis for processing?

Legitimate interest under Article 6(1)(f) GDPR for fraud and bot prevention, with a documented balancing test. The cookie itself benefits from the strictly necessary exemption of Article 5(3) ePrivacy.

Are data transferred outside the EU?

AWS WAF runs at the edge close to the visitor and supports EU edge locations. AWS Inc is a US company and operates the control plane in the United States. AWS is certified under the EU-US Data Privacy Framework and offers SCCs.

Do I need a DPIA?

A DPIA is recommended for high impact deployments (financial flows, signup, password reset) where a failed captcha could exclude vulnerable users. Document the signals collected, the impact on accessibility, and the appeals mechanism.

How do I implement AWS WAF Captcha compliantly?

Apply the captcha only on rules that target abusive traffic, not on every request. Set a short token lifetime, restrict it to the first party domain, provide an accessible alternative path (manual review, email contact) for users who cannot solve the challenge, and disclose the tool in your privacy notice.

Are there alternatives to AWS WAF Captcha?

Alternatives include Cloudflare Turnstile, hCaptcha, Friendly Captcha (EU based), reCAPTCHA Enterprise, MTCaptcha, Arkose Labs and Datadome. Friendly Captcha and a few others are designed to minimise tracking and host data in the EU.

How do I update my cookie policy for AWS WAF Captcha?

Add the aws-waf-token cookie as a strictly necessary security cookie. Explain that AWS WAF Captcha is used to block bots and fraud, mention AWS as processor, the EU-US Data Privacy Framework transfer basis, and reference the AWS privacy notice.

Get compliant — Try FlowConsent free

Free plan · 10-min setup