LogoLogo
  • Welcome
  • Landing in Transparent Edge
  • Sign up process
  • Getting Started
    • Basics concepts
      • Glosary
        • API
        • Brotli Compression
        • Cache-Control
        • Cache key
        • Caching
        • CNAME
        • Cloud Computing
        • Cloud Computing Architecture
        • Cloud Services
        • DASH
        • Data Center
        • Edge Server
        • ETag
        • GSLB
        • HLS (HTTP Live Streaming)
        • HTTP/2
        • Infrastructure as a Service (IaaS)
        • Internet Exchange Point
        • Last-Modified
        • Load Balancing
        • MultiCDN
        • NoSQL (not only SQL)
        • Origin
        • Origin Shield
        • OTT (Over The Top)
        • Platform as a Service (PaaS)
        • PoP (Point of Presence)
        • Private CDN
        • Private Cloud
        • Public Cloud
        • Purge
        • Query String
        • Reverse Proxy
        • RTT (Round-trip Time)
        • SaaS (Software as a Service)
        • SDS (Software Defined Storage)
        • Smooth Streaming
        • Status Code
        • TCP (Transmission Control Protocol)
        • TLS Acceleration
        • TLS (Transport Layer Security)
        • TTFB (Time-to-first-byte)
        • TTL (Time-to-live)
        • Virtual Machine
        • VPS (Virtual Private Server)
        • Web Services
      • Let's start at the beginning
      • Things to consider
      • Houston, we have a problem
      • HTTP, How does it work?
      • Invalidating methods
      • DNS Pointing
      • Log formats
      • Predefined headers
      • Default headers
        • geo_country_code
        • X-Device
        • Vary
        • Cache headers
        • Age
        • TP-Cache
        • True-Client-IP and X-Forwarded-For
      • Forcing No-Cache
      • Architecture
        • Transparent Edge’s IP addresses
        • Locations and PoP
        • Cache layers
      • Cache effectiveness
      • SSL
      • HTTP 5xx Error Codes
      • Features
        • Protection against origin failures
        • Rate Limit
        • Geolocation and geoblocking
        • Prefechting
        • Refetching
        • Fast purging
        • HTTP Redirects
        • Caching static vs. dynamic objects
        • Rewriting of headers
        • Device detection
    • Dashboard
      • Historic
      • Analytics
      • Invalidating content
      • Content invalidation by tags
      • Prefetching Cache
      • Log shipping
      • Provisioning
        • Initial configuration
        • Backends
        • Sites
        • Configuration deployments
        • Network ACLs
        • TLS/SSL Certificates
      • User management
  • Configuration
    • VCL Reference
      • Default Functions
      • VCL Objects
      • Callable Functions
      • Security restrictions
      • Varnish book
    • Network Access Control List
      • Initial configuration
      • Auto generated lists
      • Manage lists via API
    • i3
      • Quality adjustment
      • Cache timing allocation for transformed images
      • Conversion to grayscale
      • Conversion to WebP
      • Blurring
      • Inclusion of graphics in the footer (strip)
      • Automatic resizing
      • Definition of the maximum size (content-length)
    • Transcoding
      • Relaunch or requeue jobs
      • Create a transcode job
      • Get job information
      • Dashboard usage
    • OpenAPI de TransparentCDN
  • Security
    • HTTPS
    • Blocking User-Agent
    • Blocking by IP Address
    • Blocking Requests Geographically
    • Avoiding Hotlinking
    • Bot Mitigation
    • WAF
      • Configuration
      • CAPTCHA
      • Content protected by token
      • Rate limit
    • Anomaly Detection
      • Detection Types
      • Automatic Reactions
      • Detection History
    • Under attack mode
    • Global Whitelists
  • Integrations
    • Wordpress plugin
    • Google Cloud Platform
    • Amazon Web Services
  • GUIDES AND TUTORIALS
    • How to do things
    • Edge Computing
      • ESI Tags
    • Acting on the Query String
    • Working with cookies
    • Making decisions based on HTTP headers
    • Web Application Gateway
    • Configure your servers to send cache headers
    • Caching a version per device
    • True-Client-IP in the origin
    • A/B Testing
    • Routing traffic to different backends
    • JSON Web Tokens
    • Debug codes
    • Streaming logs
    • API
      • Authentication
      • Invalidation
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Security
  2. WAF

CAPTCHA

PreviousConfigurationNextContent protected by token

Last updated 1 year ago

Was this helpful?

This function allows us to block requests made to our website by bots, ensuring that the traffic received comes from humans.

With this purpose in mind, CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) consist of small automated tests or challenges that can differentiate between human users and automated programs (bots). Specifically, the implementation of this function is based on the solution offered by Google.

This function is invoked through our TCDN-Command header; therefore, we need to include the value show-captcha. The syntax of the function is as follows: show-captcha[:<ttl>].

Internally, when a user successfully completes the CAPTCHA challenge, a cookie called TCDN-Captcha-UID is assigned to their browser. This cookie allows for the unique identification of the user's session and prevents them from being repeatedly asked to pass the CAPTCHA challenge. However, this cookie has a finite time to live (ttl) of one hour. Once this time has elapsed, the user will need to complete a new CAPTCHA challenge. However, the optional parameter <ttl> allows us to control the lifetime of this session cookie.

For example, if we wanted to limit the presence of bots on our domain mi-dominio.es without excessively inconveniencing legitimate users, we could implement a CAPTCHA with an 8-hour TTL. In this case, we would deploy a similar to the following from the

# show-captcha
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-Command = "show-captcha:28800s";
    }
}

In this way, if the user successfully completes the CAPTCHA challenge, they will be assigned the TCDN-Captcha-UID cookie and can continue browsing normally for the next eight hours, after which they will be presented with the CAPTCHA again. Alternatively, if the user is unable to solve the challenge, they will receive a 403 status code response (Robots are not allowed here!).

Of course, this is just a small example of a very specific use case. If you have any questions about how to integrate this functionality into your own domain, please don't hesitate to contact us at .

reCAPTCHA
VCL
configuration
dashboard:
soporte@transparentcdn.com