Custom policies let you fine-tune security settings for individual verification scenarios — controlling security mode, URL restrictions, access rate limits, and device emulator blocking — beyond what the default policy provides.
For billing details, see Billing.
Prerequisites
Before you begin, ensure that you have:
Enable custom policy
Log on to the Captcha 2.0 console.
In the left navigation pane, click Overview. In the version card in the upper-right corner, click ExpandDetails, then turn on the Custom Policy switch.
Configure custom policy
Spatial inference scenarios do not support custom policies. The spatial inference verification form will be taken offline soon. For details, see [Announcement] Notice of spatial inference verification form offline.
Log on to the Captcha 2.0 console. In the left navigation pane, choose Security Management > Custom Policy.
On the Custom Policy page, click Modify in the Actions column for the target scenario.
In the Configure Custom Policy panel, set the following options, then click OK.
Parameter Description Mode Controls how aggressively Captcha 2.0 filters requests. Basic mode (default): Applies standard security checks. Balances protection and user experience. Use this when attack traffic is low.
Attack and Defense Mode: Applies enhanced risk control to strictly block attack requests. Use this when you detect increased attack traffic. May produce a small number of false positives.
URL verification A URL string that must appear in the page URL where Captcha 2.0 is invoked. If left blank, any page URL is accepted.
The match is partial:www.abc.commatcheswww.abc.com/a,www.abc.com/a/xxxx, andwww.abc.com/b.IP address access frequency limit Maximum number of requests allowed from the same IP address within a time window. Hourly limit: 1–999,999,999. Default: 4,000.
Daily limit: 1–999,999,999. Default: 10,000.
Device access frequency limit Maximum number of requests allowed from the same device within a time window. Hourly limit: 1–999,999,999. Default: 150.
Daily limit: 1–999,999,999. Default: 400.
Block device emulators Blocks requests from virtual machines (VMware, VirtualBox, Hyper-V, Parallels), Android emulators (AVD, Blue Stacks, VBox/Hyper-V), and desktop browsers simulating mobile devices. Enabled by default. After the configuration is saved, the Policy Type for the scenario changes from Default to Custom.
Disable custom policy
Log on to the Captcha 2.0 console.
In the left navigation pane, click Overview. In the version card in the upper-right corner, click ExpandDetails, then turn off the Custom Policy switch.
If you cannot turn off the switch, go to Security Management > Custom Policy, click Restore to Default in the Actions column to reset all settings, then turn off the switch.