- Newest
- Most votes
- Most comments
AWS WAF can indeed cause CORS errors when it triggers a CAPTCHA check. When a request matches the criteria for a CAPTCHA check, AWS WAF will evaluate the state of the request's token. If the token is valid and unexpired, the request is allowed to proceed to the next rule, similar to a CountAction. However, if the token is missing, invalid, or expired, AWS WAF blocks the request from reaching its intended destination.
https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaAction.html https://docs.aws.amazon.com/waf/latest/developerguide/waf-captcha-and-challenge-actions.html
When AWS WAF blocks a request due to CAPTCHA, it generates a response back to the client which includes the header x-amzn-waf-action with a value of captcha, and the HTTP status code 405 Method Not Allowed. If the request contains an Accept header with a value of text/html, the response includes a CAPTCHA JavaScript page interstitial.
It's important to note that when AWS WAF responds with a CAPTCHA or Challenge response, it does not include CORS headers. CORS headers are a set of access control headers that tell the client's web browser which domains, HTTP methods, and HTTP headers can be used by JavaScript applications. Without CORS headers, JavaScript applications running in a client browser are not granted access to HTTP headers and are unable to read the x-amzn-waf-action header. As a result, a CORS error can occur when AWS WAF returns a CAPTCHA or Challenge response.
To resolve CORS errors, you need to configure your API Gateway and your backend integrations (such as AWS Lambda) to return the required CORS headers. This can include configuring CORS on the API resource experiencing the error, configuring your REST API integrations to return the required CORS headers, and making sure that the Access-Control-Allow-Origin header includes a list of allowed domains.
Figured it out, it was due to my WAF Captcha rule, my rule was too generic and included the OPTIONS api, I adjusted the rule to only target my POST api, once I did that the OPTION call succeeded and then when I provided a valid Captcha Token with my POST request it worked .
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
Here is what I have done in my CDK for API and in the Lambda, I had cors error which I manage to resolve prior to enabling WAF Captcha
and here is my lambda headers