I am using AWS WAF to protect one of my backend API from potential bots. I have used AWSManagedRulesBotControlRuleSet with all default settings which means that TGT_VolumetricIpTokenAbsent responds with the Challenge action if token is expired.
On client side, I have exactly followed the documentation:https://docs.aws.amazon.com/waf/latest/developerguide/waf-javascript-api.html, and has the following code:
<head>
<script type="text/javascript" src="Web ACL integration URL/challenge.js" defer></script>
</head>
<script>
const login_response = await AwsWafIntegration.fetch(api_url, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: request_body
});
</script>
This works for 1 or 2 times but after that, AWS WAF starts to return response status 202 with header X-Amzn-Waf-Action: challenge
Now, I am not sure what should be done on client side to handle this challenge action.
Any help will be much appreciated.