Enable and configure CAPTCHA Challenge
Implementation Effort: Low
User Impact: Medium
Overview
Automated bots are a common source of application abuse, including credential stuffing, brute-force attacks, and form submission spam. These attacks often target high‑value user workflows such as sign‑in, registration, and checkout processes, where distinguishing legitimate users from automated traffic is critical.
CAPTCHA in Azure Web Application Firewall (WAF) introduces an interactive human verification step that helps ensure requests originate from real users before allowing access to protected application resources.
CAPTCHA can be enforced through Bot Manager rules or custom WAF rules on Azure Front Door WAF. When a request matches a rule configured with the CAPTCHA action, the client is presented with a Microsoft CAPTCHA challenge. Requests that successfully complete the challenge are validated and allowed to proceed, while requests that fail are blocked. This approach aligns with Zero Trust principles by verifying explicitly at moments of elevated risk and assuming breach for suspicious traffic, reducing automated abuse while maintaining controlled access to sensitive application workflow.