AWS WAF now supports enhanced rate-based rules with request headers and composite keys. This feature allows customers to create more granular and sophisticated rate-limiting rules by combining up to five request parameters, including IP addresses, HTTP methods, and URI paths. The video demonstrates how to set up a rate-based rule in the AWS console, aggregating requests by HTTP method and source IP for a login page. This new capability helps identify and mitigate complex attack patterns while minimizing impact on legitimate users, providing better protection against sophisticated threats that bypass traditional IP-based rate limiting.