AWS WAF's Anti-DDoS managed rule group offers rapid detection and mitigation for Layer 7 DDoS threats, responding in mere seconds. Its default setup works well for many applications but may inadvertently block requests from certain clients, especially browser-based Single Page Applications (SPAs) and native mobile apps, during an attack. These clients often don't handle challenges effectively, risking user experience during DDoS events. The article provides guidance on adjusting the web access control list (web ACL) to optimize both DDoS protection and user experience. When the Anti-DDoS managed rule group is activated, it establishes traffic baselines and assigns suspicion scores to incoming requests. Low and medium suspicion requests receive a soft mitigation via a silent JavaScript challenge, while high suspicion requests are outright blocked. The challenge applies mainly to GET requests that match specific criteria. For clients that can’t use the challenge, AWS recommends implementing client integrations that automatically handle these challenges, allowing all requests to be treated as challengeable. This approach requires deploying the AWS WAF Targeted Bot Control AMR in the web ACL to ensure smoother user interactions. For clients that can't utilize these integrations, the article suggests several configuration adjustments to balance DDoS protection with user impact. One option is to allow non-suspicious requests to bypass challenges during an attack. Changing the ChallengeAllDuringEvent rule to Count means legitimate users making non-suspicious requests won't face unnecessary hurdles. By carefully tuning these settings, organizations can maintain resource availability while minimizing disruption for genuine users during DDoS incidents.