WAF and Captcha Combination Service

Last updated:2025-07-24 14:04:54

WAF and Captcha Combination Service

Last updated: 2025-07-24 14:04:54

Background
Tencent Cloud WAF and Tencent Cloud Captcha Combination Service Solution helps customers assess incoming requests from automated clients and perform operations on malicious requests.
Tencent Cloud WAF and Captcha Combination Service uses risk analysis technology to distinguish real users from automated clients. In the verification code service, by configuring the website key and CaptchaAppId of the WAF user's verification code service, an encrypted Ticket is issued to the WAF, including characteristics indicating related risks. Tencent Cloud WAF decrypts this Ticket in the engine without the need for additional requests or responses to the verification service. Based on the characteristics of the Ticket, WAF can perform operations such as allowing, denying, redirecting, or rate-limiting incoming requests.
Applicable Scenarios
This section introduces how to use the WAF traffic management module to reduce access from automated clients.
Prerequisites
Purchased Captcha service and Web Application Firewall (Premium edition or above) in non-Chinese mainland regions, and completed WAF integration. 
Scheme Principle
 After the client's business is integrated with Tencent Cloud's Captcha service, a captcha loading request will be automatically triggered. When a user visits the business and initiates captcha interaction, the captcha server generates a Ticket containing verification information and returns it to the business end. The business end adds this Ticket and CaptchaAppId to the HTTP request header, which is then submitted along with the business request to the WAF server. The WAF server decrypts the Ticket using the CaptchaAppId and matches the verification results (including parameters such as captcha risk type, device risk token score, etc.) with the custom rules configured in the WAF (such as access control, precise whitelist, rule whitelist, custom CC rules). Subsequently, the WAF server executes the corresponding custom security rules based on the matching results, ultimately achieving security protection for the business request. The entire process uses asymmetric encryption and signature verification mechanisms to ensure the security and tamper-proof nature of the verification process.
﻿
Operation Steps
1. Log in to the Captcha service console, click Manage CAPTCHAs in the left sidebar, and enter the Captcha management page. On this page, you can create a Captcha or edit existing Captcha services.
2. Enter the Create Captcha or Edit Captcha page, enable WAF service under Other Configuration Items, click Save to obtain the key for WAF verification interaction decoding Ticket and CaptchaAppId, ensuring the security of subsequent requests during the Ticket verification process (avoiding malicious Verification Bypass such as spoofing, replay, and tamper).
﻿
3. Business release integrates the Captcha service manually, supporting customers to trigger the verification code automatically during actual user access to the business process, generating a user verification ticket (Ticket) to be passed to the backend WAF and origin server.
4. Customers can configure Captcha-related security rules in WAF (see Set allowlist rule、Set custom allow rule、Set Access Control Rule、Set CC protection rule). Based on the matching results of custom security rules, the system automatically takes effect and handles the current request (such as allowing legitimate requests, blocking high-risk requests, redirecting configured paths, logging observation records only, or requiring re-verification), achieving security protection for business requests.
﻿
Captcha related match mode field description：
Match Field
Matching Parameter
Logical Symbol
Match Content Description
verification code RiskType
None
Value equals，Value not equal to
Please enter an integer value between [0-255], converting binary to decimal.
﻿
﻿
Belong, Not belong to
Please enter integer values between [0-255], separated by line breaks. A maximum of 50 values is allowed.
﻿
﻿
Exist, Not exist
None
Captcha Device Risk
None
Belong, Not belong to
Please select a device risk category: 101, 201, 301, 401, 501, 601, 701.
﻿
﻿
Exist, Not exist
None
verification code token score
None
Value equals, Value greater than, Value less than, Value less than or equal to, Value greater than or equal to
Please enter an integer value between [0-100].
﻿
﻿
Exist, Not exist
None
Note:
For detailed parameter description after decrypting the Ticket, check the Captcha product document Integration with Web Application Firewall.
﻿
﻿
﻿
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feedback

Match Field	Matching Parameter	Logical Symbol	Match Content Description
verification code RiskType	None	Value equals，Value not equal to	Please enter an integer value between [0-255], converting binary to decimal.
				Belong, Not belong to	Please enter integer values between [0-255], separated by line breaks. A maximum of 50 values is allowed.
				Exist, Not exist	None
Captcha Device Risk	None	Belong, Not belong to	Please select a device risk category: 101, 201, 301, 401, 501, 601, 701.
Captcha Device Risk	None			Exist, Not exist	None
verification code token score	None	Value equals, Value greater than, Value less than, Value less than or equal to, Value greater than or equal to	Please enter an integer value between [0-100].
verification code token score	None			Exist, Not exist	None

tencent cloud

Background

Applicable Scenarios

Prerequisites

Scheme Principle

Operation Steps

﻿