Skip to main content

CloudFront Integration

You can set up VerifiedVisitors for a CloudFront distribution using our Lambda@Edge module.

The Lambda function executes on the "Viewer Request" event, which runs when CloudFront receives a request from a viewer. It queries VerifiedVisitors for an access control decision for the visitor, and either serves a mitigation or lets the request through.

The module automatically serves and processes CAPTCHA responses when appropriate.

  • You should be familiar with AWS and CloudFront Lambda@Edge.
  • The target CloudFront distribution behaviour must not have an existing Viewer Request function association.
  • The CloudFront viewer behaviour must allow the POST method in order to be able to process CAPTCHA responses.


1. Create a VerifiedVisitors access token for API access

In your VerifiedVisitors portal, navigate to "Profile Settings", click on the "Tokens" tab, and generate a new token. This will be needed later when setting up the lambda function.

2. Create the Lambda function

In the Lambda dashboard of the AWS console, create a Lambda function in the us-east-1 region:

  1. Click on "Create function".
  2. Select "Author from scratch".
  3. In the basic information section, enter a name for the function and ensure the runtime is set to Node.js.
  4. Click on "Create function".
  5. Rename the index.mjs file to index.js (our implementation doesn't support ESM yet).
  6. In the code tab, replace the contents with the VerifiedVisitors Lambda implementation.
  7. Click "Deploy" to save the changes.
  8. In the "config" section of the code:
    • Replace the API_KEY value with the access token you created in step 1.
  9. In the configuration tab, under general configuration, set the timeout to 1 second.

3. Configure the Lambda execution role

Permissions must be configured according to the AWS documentation.

From the configuration tab, under 'Permissions', click on the role name to modify it:

  1. Edit the trust relationship to include the service:
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"Service": ["", ""]
"Action": "sts:AssumeRole"
  1. Edit the permissions policy to allow logging in other regions (optional):
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:*:*:*"
"Effect": "Allow",
"Action": ["logs:CreateLogStream", "logs:PutLogEvents"],
"Resource": ["arn:aws:logs:*:*:log-group:/aws/lambda/*"]

4. Deploy the Lambda function

Back in the Lambda function page, click on "Actions" followed by "Deploy to Lambda@Edge", then:

  1. Select the CloudFront distribution to process requests for.
  2. Select "Viewer Request" as the CloudFront event.
  3. Ensure "Include body" is checked (this is required for serving CAPTCHA).
  4. Check "Confirm deploy to Lambda@Edge".
  5. Click on "Deploy".

It may take a few minutes for your CloudFront distribution to deploy the new settings.

Updating the Lambda function

The Lambda function can be updated as follows:

  1. In the Lambda dashboard of the AWS console, ensure the region is set to us-east-1 and select the VerifiedVisitors function to be updated.
  2. In the code tab, edit the code source to update the implementation.
  3. Click on "Deploy" to save the changes.
  4. Click on "Actions" followed by "Deploy to Lambda@Edge".
  5. In the dialog box that appears, choose "Use existing CloudFront trigger on this function" and select the trigger to be updated.
  6. Click on "Deploy".

It may take a few minutes for your CloudFront distribution to deploy the new settings.

Client-side JavaScript agent

We recommend serving our JS agent along with any HTML content to improve threat detection and visitor categorisation.

Please see the JS-agent docs for more info.