[TESTING] WAF CAPTCHA Testing

[adambuttrick]

Objective

Following from #680 and discussions, we should test new the WAF CAPTCHA rules for login and password reset pages to verify that they're both preventing malicious traffic and allowing access for legitimate users.

Test Steps

1. Baseline Analysis

• Review current WAF logs in OpenSearch for a reasonable time period (e.g. past 7 days)
• Document current denial rates and patterns
• Identify peak usage periods

2. Discount Mode Testing

• Enable new WAF captcha rules in discount mode
• Monitor in OpenSearch for false positives and compare against baseline metrics

3. Malicious Traffic Simulation Script

If the new rules look fine in discount mode, we should further test with a script that simulates malicious traffic, for example:

• Single IP rapid login attempts
• Password reset request floods
• Mix of legitimate and malicious patterns

Success Criteria

• Low false positive rate (e.g. < 1%)
• Simulation of malicious traffic is blocked
• No impact on legitimate logins

[adambuttrick]

Test results described in #680 (comment). Results on stage look fine for moving to prod as well.