---
title: Blocking requests with invalid challenge tokens
summary: null
url: >-
https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/blocking-requests-with-invalid-challenge-tokens
---
After successfully completing a client challenge, the client receives a token stored as a [browser cookie](https://docs.fastly.com/products/bot-management#client-challenges). To validate this token on subsequent requests and block requests with invalid tokens, create two request rules.
| Request rule | Action types | Description |
| ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 1 | [Verify token](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#verify-token) | Check if the web client solved a challenge on a previous request. This rule will add either the `CHALLENGE-TOKEN-VALID` or `CHALLENGE-TOKEN-INVALID` signal to the request. |
| 2 | [Block](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#block)
_(Optional)_ [Add signal](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#add-signal) | Block requests tagged with the `CHALLENGE-TOKEN-INVALID` signal. If you have multiple rules that block requests with invalid challenge tokens, you can also optionally add a custom signal to matching requests for easier rule monitoring. |
> **HINT:** In most cases, these rules only need to target POST requests. This is because the browser challenge is typically issued on GET requests and the client cannot proceed until they successfully solve a challenge.
## Prerequisites
Before creating rules to handle requests from clients that failed a challenge, you must:
- purchase [Bot Management](https://docs.fastly.com/products/bot-management) and [Fastly Next-Gen WAF](https://docs.fastly.com/products/fastly-next-gen-waf) for deployment on Fastly's Edge Cloud. The [Essential platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) for the Next-Gen WAF does not support Bot Management.
- [deploy Bot Management](https://www.fastly.com/documentation/guides/security/bot-management/about-bot-management/#deploying-bot-management) using post-cache inspection on each CDN service where you intend to use client challenges. Compute services are not supported.
- [enable client challenges](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/about-client-challenges/#enabling-client-challenges) on the service where you intend to use them.
- add a client challenge by [creating a rule](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/serving-challenges-with-interstitial-pages) or [modifying the HTML](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/embedding-challenges-in-pages) of the page where you'd like the challenge to be sent.
## Protecting a POST endpoint example
Let's say that you want to protect a POST endpoint, in this case `www.example.com/login`, and that you've already [added a challenge](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/about-client-challenges/#challenge-types) for the endpoint. To protect the endpoint, you need to configure two [request rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-request-rules/) that will:
- [verify the token](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/blocking-requests-with-invalid-challenge-tokens#adding-the-verify-token-rule) on POST requests to `www.example.com/login`, and
- [block](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/blocking-requests-with-invalid-challenge-tokens#adding-the-block-rule) requests tagged with the `CHALLENGE-TOKEN-INVALID` signal.
> **IMPORTANT:** Be aware that this example uses values (e.g., hostnames and paths) that may not be the same as those used by your particular web application.
### Adding the verify token rule
The first request rule verifies the token on POST requests to `www.example.com/login`.
### Next Gen Waf Control Panel
1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).
2. From the **Sites** menu, select a site if you have more than one site.
3. From the **Rules** menu, select **Site Rules**.
4. Click **Add site rule**.
5. Add the following three conditions to ensure the WAF only applies this rule to HTTP POST requests where the domain is `www.example.com` and the request path is `/login`.
| Condition | Field | Operator | Value |
| --------- | ------ | -------- | ----------------- |
| 1 | Method | Equals | POST |
| 2 | Domain | Equals | `www.example.com` |
| 3 | Path | Equals | `/login` |
6. Add the following condition to ensure the WAF does not apply this rule to requests made by [verified bots](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#bots).
- From the first **Field** menu, select **Signal**.
- From the first **Operator** menu, select **Does not exist where**.
- From the second **Field** menu, select **Signal Type**.
- From the second **Operator** menu, select **Equals**.
- From the **Value** menu, select **Verified Bot**.
7. From the **Action type** menu, select [**Verify token**](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) to check whether the client has successfully solved a challenge on a previous request.
8. In the **Description** field, enter `Verify token on POST requests to www.example.com/login`.
9. Click **Create site rule**.
### Fastly Control Panel
1. Log in to the [Fastly control panel](https://manage.fastly.com).
2. Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).
3. From the workspaces bar, click the menu 
to the right of the workspace name and select a workspace.
4. Click **Add workspace rule**.
5. Add the following three conditions to ensure the WAF only applies this rule to HTTP POST requests where the domain is `www.example.com` and the request path is `/login`.
| Condition | Field | Operator | Value |
| --------- | ------ | -------- | ----------------- |
| 1 | Method | Equals | POST |
| 2 | Domain | Equals | `www.example.com` |
| 3 | Path | Equals | `/login` |
6. Add the following condition to ensure the WAF does not apply this rule to requests made by [verified bots](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#bots).
- From the first **Field** menu, select **Signal**.
- From the first **Operator** menu, select **Does not exist where**.
- From the second **Field** menu, select **Signal ID**.
- From the second **Operator** menu, select **Equals**.
- From the **Value** menu, select **Verified Bot**.
7. From the **Type** menu in the **Actions** section, select [**Verify token**](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) to check whether the client has successfully solved a challenge on a previous request.
8. In the **Description** field, enter `Verify token on POST requests to www.example.com/login`.
9. Click **Create workspace rule**.
> **HINT:** This rule only checks whether the client has successfully solved a challenge on a previous request. You must add a [second rule](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/blocking-requests-with-invalid-challenge-tokens#adding-the-block-rule) for the WAF to block requests from clients that haven't successfully solved a challenge.
### Adding the block rule
The second request rule blocks POST requests to `www.example.com/login` when there isn't a valid token. It also tags matching requests with the `Login attempt with invalid token` custom signal to make it easier to monitor the rule.
> **IMPORTANT:** Before creating this rule, [create a custom signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/working-with-custom-signals/#creating-signals-used-by-one-site-workspace) named `Login attempt with invalid token`.
### Next Gen Waf Control Panel
1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).
2. From the **Sites** menu, select a site if you have more than one site.
3. From the **Rules** menu, select **Site Rules**.
4. Click **Add site rule**.
5. Add the following three conditions to ensure the WAF only applies this rule to HTTP POST requests where the domain is `www.example.com` and the request path is `/login`.
| Condition | Field | Operator | Value |
| --------- | ------ | -------- | ----------------- |
| 1 | Method | Equals | POST |
| 2 | Domain | Equals | `www.example.com` |
| 3 | Path | Equals | `/login` |
6. Add the following conditions to ensure the WAF only applies this rule to requests tagged with the `CHALLENGE-TOKEN-INVALID` signal.
- From the first **Field** menu, select **Signal**.
- From the first **Operator** menu, select **Exists where**.
- From the second **Field** menu, select **Signal Type**.
- From the second **Operator** menu, select **Equals**.
- From the **Value** menu, select **Challenge Token Invalid**.
7. From the **Action type** menu, select **Block**.
8. Click **Add action**. New menus appear.
9. From the new **Action type** menu, select **Add signal** and from the **Signal** menu select the `Login attempt with invalid token` custom signal.
10. In the **Description** field, enter `Block requests to www.example.com/login when the client hasn't solved a previous challenge.`.
11. Click **Create site rule**.
### Fastly Control Panel
1. Log in to the [Fastly control panel](https://manage.fastly.com).
2. Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).
3. From the workspaces bar, click the menu to the right of the workspace name and select a workspace.
4. Click **Add workspace rule**.
5. Add the following three conditions to ensure the WAF only applies this rule to HTTP POST requests where the domain is `www.example.com` and the request path is `/login`.
| Condition | Field | Operator | Value |
| --------- | ------ | -------- | ----------------- |
| 1 | Method | Equals | POST |
| 2 | Domain | Equals | `www.example.com` |
| 3 | Path | Equals | `/login` |
6. Add the following conditions to ensure the WAF only applies this rule to requests tagged with the `CHALLENGE-TOKEN-INVALID` signal.
- From the first **Field** menu, select **Signal**.
- From the first **Operator** menu, select **Exists where**.
- From the second **Field** menu, select **Signal ID**.
- From the second **Operator** menu, select **Equals**.
- From the **Value** menu, select **Challenge Token Invalid**.
7. From the **Type** menu in the **Actions** section, select **Block**.
8. Click **Add action**. New menus appear.
9. From the new **Action type** menu, select **Add signal** and from the **Signal** menu select the `Login attempt with invalid token` custom signal.
10. In the **Description** field, enter `Block requests to www.example.com/login when the client hasn't solved a previous challenge.`.
11. Click **Create workspace rule**.
## Related content
- [About client challenges](https://www.fastly.com/documentation/guides/security/bot-management/client-challenges/about-client-challenges)
- [Bot Management](https://docs.fastly.com/products/bot-management)