Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using a custom domain to load AWS WAF intelligent threat APIs

0

I would like to load the AWS WAF intelligent threat APIs Javascript SDK over my custom domain instead of using the auto-generated one "Web ACL integration URL/challenge.js", I wonder if this is feasible in any way.

<script type="text/javascript" src="mydomain.com/challenge.js" defer></script>

https://docs.aws.amazon.com/waf/latest/developerguide/waf-javascript-api.html

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon CloudFrontAWS WAFSecurity
Language
English
asked a year ago264 views
1 Answer
0

Unfortunately, it is not feasible to load the AWS WAF intelligent threat APIs JavaScript SDK over your custom domain instead of using the auto-generated Web ACL integration URL. The SDK must be loaded directly from the AWS WAF domain for security reasons and to ensure proper functionality.

The integration URL provided by AWS WAF is specifically designed to work with their services and contains necessary information for the SDK to operate correctly. Using a custom domain could potentially break the functionality of the intelligent threat APIs and compromise the security measures in place.

If you have concerns about using the auto-generated URL, you can take steps to optimize its integration with your web application. For example, you can improve page load performance by changing the defer attribute to async in the script tag. This allows the script to load in parallel with the rest of your application:

<script type="text/javascript" src="Web ACL integration URL/challenge.js" async></script>

Additionally, if you're using content security policies (CSP) on your website, make sure to allowlist the AWS WAF apex domain (awswaf.com) in your CSP directives. This ensures that the JavaScript SDK can load and function properly without being blocked by security policies.

While you can't use your custom domain for loading the SDK, you can configure additional domains for use in the tokens that AWS WAF creates. This is done by setting the window.awsWafCookieDomainList global variable with one or more token domains that are compatible with your application's domain structure.

In summary, while customizing the domain for loading the AWS WAF intelligent threat APIs SDK is not possible, there are other ways to optimize its integration and ensure it works seamlessly with your web application.
Sources
AWS WAF JavaScript integrations - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Optimizing web application user experiences with AWS WAF JavaScript integrations | Networking & Content Delivery
Providing domains for use in the tokens - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Using the JavaScript API with content security policies - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content