This article demonstrates how to implement AWS WAF intelligent threat mitigations with Bot Control and CAPTCHA for Single Page Applications (SPAs) in both same-origin and cross-origin API access scenarios.

• AWS WAF Bot Control provides intelligent threat mitigations using JavaScript challenges and CAPTCHA verification
• Same-origin scenario: SPA and API on same domain, token stored as cookie
• Cross-origin scenario: SPA and API on different domains, token sent via X-Aws-Waf-Token header
• Token Domain List must include SPA domain when API is on separate CloudFront distribution
• CORS preflight OPTIONS requests must be excluded from Bot Control inspection
• API requires CORS headers allowing X-Aws-Waf-Token and specifying SPA origin
• AwsWafIntegration library automatically detects cross-origin and sends token appropriately
• Includes AWS CDK deployment example with sample SPA application

The article provides practical guidance for protecting APIs with AWS WAF Bot Control across different domain configurations, with deployable code examples.