- Newest
- Most votes
- Most comments
Based on the information provided, it appears that you're encountering a TOKEN_DOMAIN_MISMATCH issue with AWS WAF CAPTCHA across subdomains. This problem can occur when the domain used for the CAPTCHA token doesn't match the domain of the API request.
Here are a few potential reasons for this issue and suggestions to resolve it:
-
Cookie Domain Mismatch: Even though you've set the cookie for ".acme.com", which should cover all subdomains, AWS WAF might be strictly checking the exact domain. Try adding "api.acme.com" explicitly to your CAPTCHA configuration in AWS WAF.
-
CAPTCHA Integration Configuration: Ensure that in the AWS WAF CAPTCHA Integration settings, you have listed all relevant domains, including "api.acme.com". The domains you've listed (acme.com, api.acme.com, and app.acme.com) seem correct, but double-check to make sure they are all properly configured.
-
Token Handling: Make sure that when you're making the fetch request to api.acme.com, you're correctly including both the x-aws-waf-token header and the aws-waf-token cookie. The token should be the same in both places.
-
CloudWatch RUM Configuration: If you're using Amazon CloudWatch RUM to monitor your application, ensure it's configured to handle multiple domains correctly. Recent updates to CloudWatch RUM allow monitoring of multiple top-level and second-level domains using a single App Monitor, which might help in your case.
-
Route 53 Configuration: If you're using Amazon Route 53 for DNS, ensure that your subdomain routing is set up correctly. The records for api.acme.com should be in the correct hosted zone.
-
WAF Rule Configuration: Review your WAF rules to ensure they're not inadvertently blocking or mishandling requests from api.acme.com.
If none of these suggestions resolve the issue, you may need to contact AWS support for further assistance, as there could be a configuration issue specific to your account or setup that's not immediately apparent.
Sources
Routing traffic for subdomains - Amazon Route 53
CaptchaResponse - AWS WAFV2
Amazon CloudWatch RUM now supports monitoring multiple domains with a single App Monitor - AWS
I'm going to add more trace-details to the issue.
So the initial browser request to https://...captcha.awswaf.com/problem contains the following query params:
- kind=visual
- domain=acme.com
- locale=en-gb
- api_key=...
since it has the domain key set to acme.com which is the apex one, I'm assuming that setting window.awsWafCookieDomainList behaves as expected and that the resulting waf-token (if the captcha challenge is correctly solved) will be accepted by WAF for api.acme.com.
Here's the full HTTP request that hits the API Gateway:
POST /v1/upload/form HTTP/1.1
Host: api.acme.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Content-Length: 126573
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,ro;q=0.7,mo;q=0.6
Cache-Control: no-cache
Connection: close
Cookie: aws-waf-token=...
Origin: https://api.acme.com
Pragma: no-cache
Referer: https://app.acme.com/path-to-referer
Sec-Ch-Ua: "Not:A-Brand";v="24", "Chromium";v="134"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Aws-Waf-Token: ...
This leads, of course, to the infamous:
"captchaResponse": {
"responseCode": 405,
"failureReason": "TOKEN_DOMAIN_MISMATCH"
},
being logged in CloudWatch.
Hope this is a bit more useful.
Any help is highly appreciated.
Thank you
Hello,
I've encountered the same issue, have you been able to find a solution ?
Cheers
Relevant content
- asked 2 years ago
- asked 9 months ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago
All these points have been summarised from the official AWS docs and have been tried with no avail.