Integration with WAF service providers overview

This document provides an overview of reCAPTCHA Enterprise for WAF and its integration with web application firewall (WAF) service providers.

reCAPTCHA Enterprise for WAF is a feature that is deployed as a service at the WAF layer. It enables WAFs to help you protect your site from spam and abuse. It uses advanced risk analysis techniques to distinguish between legitimate and fraudulent requests.

reCAPTCHA Enterprise for WAF integration

reCAPTCHA Enterprise for WAF integrates with WAF service providers to provide bot detection at the WAF layer to detect, stop, or manage automated activity accessing your websites or services.

reCAPTCHA Enterprise for WAF integrates with the following WAF service providers:

To control access to the applications or services, WAF service providers use a set of rules called policies that filter traffic based on conditions. Conditions include IP address, IP range, region code, or request headers of an incoming request. Google Cloud Armor uses security policies and third-party WAF service providers use reCAPTCHA firewall policies (firewall policies).

reCAPTCHA Enterprise for WAF interacts with WAF service providers to do the following:

  • Enforce frictionless assessment.

    In this interaction, the following events take place:

    1. The end user triggers an application action protected by reCAPTCHA Enterprise for WAF.
    2. reCAPTCHA Enterprise for WAF issues an encrypted token that contains the reCAPTCHA Enterprise's assessment and the associated attributes.
    3. The reCAPTCHA token is attached to the follow-up requests.
    4. The WAF service provider deciphers this token. Based on the token attributes and configured security rules or firewall policy rules, the WAF service provider allows, blocks, or redirects the incoming requests.

    The following diagram is a simplified graphical representation of how the WAF service provider interacts with reCAPTCHA Enterprise for WAF to enforce frictionless assessment:

  • Serve reCAPTCHA challenge pages to the end users.

    In this interaction, the following events take place:

    1. A user accesses your website.
    2. Your WAF service provider redirects the traffic based on your configured security policy rules or firewall policy rules, whichever is applicable.
    3. reCAPTCHA Enterprise for WAF attaches an exemption cookie to the browser of the user who passes the reCAPTCHA assessment.
    4. Based on the configured security policies or firewall policies, the WAF service provider allows access to requests that have valid exemption cookies.

    The following diagram is a simplified graphical representation of how the WAF service providers interact with reCAPTCHA Enterprise for WAF to serve reCAPTCHA challenges to end users:

When to use reCAPTCHA Enterprise for WAF integration

Use this integration when you need to deploy effective strategies that detect, stop, or manage automated malicious activity that is attempting to access your websites or services.

Benefits

The reCAPTCHA Enterprise for WAF integration with WAF service providers provides the following benefits:

  • Reduces the integration complexity with reCAPTCHA Enterprise for WAF. You don't need to modify your protected applications or application servers to fetch or enforce reCAPTCHA Enterprise's assessments.
  • Mitigates bot traffic at the edge of your network, before the traffic reaches the protected application.

What's next

  • Learn about the features offered by reCAPTCHA Enterprise for WAF.