AzureFeeds

Introduction

Web applications today are constantly under siege from a range of threats, including automated bots and scrapers, as well as credential-focused threats such as credential stuffing and brute-force attacks. As attackers leverage advanced automation and increasingly sophisticated attack methods, organizations need more robust and interactive security measures capable of distinguishing between legitimate users and malicious traffic.

To address these evolving challenges, Azure Front Door’s Web Application Firewall (WAF) now introduces CAPTCHA, currently available in public preview. This feature incorporates a critical interactive verification step, validating real human users while blocking automated malicious traffic in real-time. By integrating CAPTCHA directly within the WAF, organizations can secure crucial user flows – such as logins, registrations, and checkout processes – from bots and scripted attacks aiming to compromise credentials, create fraudulent accounts, or harvest data, all while preserving a seamless experience for genuine users.

Overview of Azure WAF Front Door CAPTCHA

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security mechanism designed to differentiate human users from automated bots by presenting interactive challenges that only humans can reliably complete. Azure Front Door’s WAF implementation of CAPTCHA delivers this capability seamlessly, integrating directly into web traffic processing to offer real-time protection.

Azure Front Door WAF CAPTCHA is a dynamic security challenge automatically triggered when a client’s request matches a WAF rule configured with the CAPTCHA action. When activated, users are presented with an interactive CAPTCHA challenge in their browser and can verify themselves either by solving a visual puzzle or completing an audio-based task. Once successfully solved, the user’s request proceeds normally, while automated scripts and bots unable to complete the challenge are immediately blocked, effectively preventing malicious traffic.

By clearly distinguishing human users from bots, Azure WAF CAPTCHA strengthens application defenses. Key benefits include:

• Account and Access Protection – Azure WAF CAPTCHA helps protect authentication and user account workflows from automated abuse and unauthorized access.
  
  
  
  • Block Automated Account Creation – Stops bots from registering fake or spam accounts during sign-up.
  
  
  • Prevent Account Takeovers – Stop suspicious login attempts to protect against stolen credentials.
  
  
  • Stop Brute-Force Logins – Prevents automated password guessing and account breaches
  
  
  
  

• Data and Resource Protection – Use CAPTCHA to defend web content and inventory from unauthorized scraping and resource hoarding.
  
  
  
  • Limit Web Scraping – Restricts bots from extracting proprietary data like pricing or content.
  
  
  • Prevent Inventory Hoarding – Protects e-commerce and ticketing platforms from bulk purchasing by bots.
  
  
  
  

• Fraud and Abuse Prevention – Use CAPTCHA to reduce the risk of automated abuse in transaction and engagement workflows.
  
  
  
  • Block Fake Transactions – Stops abuse of discounts, gift cards, or loyalty programs by scripted bots.
  
  
  • Reduce Spam and Abusive Inputs – Ensures form and comment submissions are from real users, not bots.
  
  
  
  

• Application-Layer DDoS Defense- Acts as a first line of defense to block high-volume bot requests targeting application resources.

Azure WAF Front Door CAPTCHA Key Features

Azure WAF CAPTCHA in Azure Front Door is designed to be flexible, easy to configure, and deeply integrated into WAF’s existing policy model. Below are the key features that define how CAPTCHA is activated, managed, and monitored.

Policy Settings

Azure WAF CAPTCHA includes a configurable policy setting that defines how long a user remains validated after successfully completing a challenge. This is controlled through the CAPTCHA challenge cookie, which is injected into the user’s browser upon solving the challenge.

• The cookie name is afd_azwaf_captcha and it determines how long a user is exempt from repeated challenges.


• The cookie validity period can be set between 5 and 1,440 minutes, with a default of 30 minutes.

Once the cookie expires, the user will be prompted to complete the CAPTCHA again if they trigger a matching rule. This setting helps balance security and user experience by reducing repetitive challenges for legitimate users while still enforcing protection over time.

Integration with Bot Manager Rules

CAPTCHA can be enabled directly in the Bot Manager rulesets, allowing administrators to apply CAPTCHA as an enforcement action. To enable the CAPTCHA challenge within the Bot Manager’s managed rules, users can navigate to the managed rules section in their WAF policy and adjust the actions for each rule group. This setup is ideal for mitigating automated logins, credential stuffing, and other bot-driven behaviors with minimal configuration.

Custom Rule Support

For more targeted scenarios, CAPTCHA can be configured as the action in a custom rule. This allows precise control over when and where the challenge is triggered – based on URI, method, headers, geo-location, or user-agent patterns. Common examples include applying CAPTCHA to login endpoints, sign-up forms, or regions known for bot traffic.

Monitoring

Detailed logs and metrics are captured whenever the CAPTCHA challenge is triggered. This allows security administrators to track the CAPTCHA challenges and analyze traffic patterns and security incidents.

The “Web Application Firewall CAPTCHA Request Count” metric within Azure Front Door displays the number of CAPTCHA requests evaluated by the Web Application Firewall:

When WAF diagnostic logging is enabled, each CAPTCHA event is written to the AzureDiagnostics table. These logs can be queried to see which endpoints triggered challenges, the outcome of each event (Issued, Passed, Valid, or Blocked), the client IP and user agent, and the timestamp of the interaction. By analyzing this data, you can calculate solve rates, identify problem spots where users are repeatedly challenged or blocked, and fine-tune your rules to improve both security and user experience.

Pricing

Azure Front Door WAF CAPTCHA is currently in public preview and pricing details are available on Pricing – Front Door | Microsoft Azure.

Enabling and using the CAPTCHA challenge

CAPTCHA in the Bot Manager ruleset

As described in the previous section, the CAPTCHA challenge can be enabled within both the Bot Manager ruleset and custom rules.

To enable it within the Bot Manager ruleset, simply navigate to the Managed Rules section of your WAF policy in Azure Front Door, select the Bot Manager rule you want to configure, and change the action to CAPTCHA challenge. Within the Policy Settings, you can adjust the CAPTCHA challenge cookie’s validity period, with options ranging from 5 to 1,440 minutes.

To demonstrate how Azure WAF Front Door issues a CAPTCHA challenge via a Bot Manager rule, we will simulate bot-like requests using PowerShell. In our setup, we have configured Azure Front Door with a WAF Policy that has the Bot Manager 1.1 ruleset enabled and action set to CAPTCHA for the rules – Bot100100 (Malicious bots detected by threat intelligence) and Bot100200 (Malicious bots that have falsified their identity). Behind this Azure Front Door, a web application is running and is actively protected by the WAF. We use two PowerShell snippets—one sending a known crawler User-Agent, the other spoofing a high-risk IP via X-Forwarded-For—to trigger the CAPTCHA rule. You can use Postman, Visual studio, or any other HTTP client to send these requests; this example uses PowerShell.

From the results we observe a 403 Forbidden status code in both cases, indicating that WAF issued the CAPTCHA challenge and then blocked the request because no valid token was returned. In the Front Door WAF diagnostic logs, we can view the requests:

This confirms that the Bot Manager rule correctly triggered the CAPTCHA action and enforced a block since the client could not complete the interactive challenge.

CAPTCHA in custom rules

For custom rules, you define exactly when the CAPTCHA challenge appears by creating a match-type or rate limit rule with action set to CAPTCHA. In the custom rule’s Policy Settings, you can also configure the CAPTCHA cookie lifetime – anywhere from 5 to 1,440 minutes – so that users remain validated for the duration you choose.

To demonstrate the CAPTCHA challenge in action, we set up a simple scenario using Azure Front Door with a WAF policy with our custom rule created above. Behind the Front Door endpoint, a demo web application is running. The rule inspects the RequestUri and issues a CAPTCHA challenge when the URI contains /ftp. In Policy Settings, we set the CAPTCHA cookie validity to 5 minutes.

In our browser, we navigate to our web application and click on the link that leads to the /ftp path. The browser briefly displays the CAPTCHA form, confirming that the challenge is active.

We are presented with the CAPTCHA challenge page, select the puzzle option and proceed to solve it:

After solving the puzzle, the afd_azwaf_captcha cookie appears under Response Headers. The same cookie will be sent with each subsequent request, preventing repeated challenges within the cookie lifetime and ensuring smooth navigation.

The Front Door WAF logs provide detailed insights into CAPTCHA challenge requests, showing the issued, passed challenges as well as active challenges:

Conclusion

Malicious bots continue to threaten web applications with automated account creation, credential abuse, and data scraping. Azure Front Door WAF’s CAPTCHA challenge delivers an interactive verification step that stops sophisticated bots at the edge, complementing Bot Manager and JavaScript challenge protections. By issuing puzzles or audio challenges only on high-risk requests and tracking outcomes through built-in metrics and logs, CAPTCHA ensures genuine users navigate your site without interruption while blocking automated attacks. Together, these features provide a powerful, adaptive defense against evolving bot threats, helping organizations maintain application integrity and deliver a seamless experience for real users.

References

Introduction to Azure Web Application Firewall | Microsoft Learn

Public Preview of Azure WAF CAPTCHA Challenge for Azure Front Door | Microsoft Community Hub

Azure Front Door Web Application Firewall CAPTCHA (preview) | Microsoft Learn

Web Application Firewall (WAF) on Azure Front Door | Microsoft Learn

Web application firewall custom rule for Azure Front Door | Microsoft Learn