AWS WAF Captcha keeps triggering

Question

I've setup WAF for my API Gateway with a CAPTCHA rule for one of the endpoints:
1. Rule 1: URI contains string "/my_protected_endpoint" AND
2. Rule 2: Http Method matches string "POST"

I've got a simple test page setup with the following code:
```
async function protectedPostRequest(data) {
    const result = await AwsWafIntegration.fetch(
        `${API_URL}/my_protected_endpoint`,
        {
            method: "POST",
            headers: {
                "Content-Type": "application/json",
            },
            body: JSON.stringify(data)
        }
    );
    console.log({result});

if (result.status === 405) {
        AwsWafCaptcha.renderCaptcha(
            document.querySelector("#container"), 
            {
                apiKey:  ,
                onSuccess: () => protectedPostRequest(data),
                onError: (error) => console.log(error),
            }
        );
    } else {
        const text = await result.text?.();
        if(result.ok) {
            alert(text);
        } else {
            console.log(text || String(result));
        }
    }
```

The issue I'm running into is, even after successfully completing the CAPTCHA, the requests still result in a 405 code. I've already confirmed that the requests contain "X-Aws-Waf-Token" in the header.

I've also got a Cloudfront for the Api Gateway if that makes any difference..

Answer

Hi, did you properly set the "Immunity time" of your captcha?
See point 7 of https://cloudcompiled.com/tutorials/aws-waf-captcha-protect-from-bots/

```
Once a user solves a captcha, a cookie containing the validated token will be
saved in their browser. By default the immunity time is set to 5 mins (300 seconds). 
Once the immunity period expires, the user will be have to solve a new Captcha to 
access the protected page again.
```

Hope it helps!

Didier

AWS WAF Captcha keeps triggering

Relevant content