Schema Validation 2.0 allows all corresponding configuration calls to be made via API. This validation centers more around individual endpoints and lets you set mitigation actions for each endpoint individually. Additionally, you can use Cloudflare-provided learned schemas that we learn automatically from your traffic for individual endpoints.
Upload schemas via the API to Schema Validation
Upload a schema.
Ensure that your endpoints are added in Endpoint Management.
Set the schema to active if it is not already done.
Set the Schema Validation zone-wide action from none to log.
Send test traffic that violates the schema.
View test traffic in Security Events by filtering for Service > API Shield - Schema Validation.
Optional:
Set a single endpoint to block.
Set the Schema Validation zone-wide to block.
Temporarily override all schemas zone-wide to none.
Remove the temporary override.
Cloudflare recommends you to rerun test traffic and monitor the HTTP response codes after changing any settings to ensure Schema Validation is operating as expected.
Settings changes may take a few minutes to implement.
Configuration
Upload and activate a schema
Upload a schema via the v4 API using POST. This example requires a example_schema.yaml schema file in the current folder.
By default, Schema Validation is disabled for an uploaded schema so that you can inspect it first. You can upload a schema and enable it immediately by setting the form parameter validation_enabled=true.
Use a PATCH request to activate a schema after inspection.
Schemas contain a set of servers, paths, and methods, which together define an operation. Schema Validation only acts on the requests to operations which have been added to the API Shield Endpoint Management. If a schema contains operations which have not been added to Endpoint Management, they can be retrieved together with the configuration information about added operations.
To receive information about the configuration of existing operations, Cloudflare recommends passing the ?feature=schema_info parameter.
You can add new operations in a schema to Endpoint Management using POST.
You can add all operations in a schema that do not already exist in Endpoint Management by combining two commands as one. There is a maximum of 20 operations for this API call. The example requires the jq tool.
Change the default and operation-specific mitigation action
If a schema is uploaded and active for a set of operations, it validates incoming requests to each operation and decides whether a mitigation action should be taken. This mitigation action is defined per operation and can take the values none, log, and block, which correspond to no action, logging the requests, or blocking them before they reach the origin.
New operations will not have a mitigation action set and will use the zone-wide default mitigation action. The current default mitigation action can be retrieved using GET.
A new value out of none, log, and block can be set using PUT.
If the mitigation action for an individual operation is of interest, the current value can be retrieved with GET using the operation ID.
If the value is null, it means that no mitigation action has been specified for this operation and the default mitigation action is being used.
You can set the mitigation action to a value out of none, block, log, and null by using PUT.
List all schemas
You can get an overview of the schemas currently active on a zone using GET.
validation_enabled=true is an optional parameter.
Delete a schema
You can delete a schema using DELETE.
Activate a learned schema for an operation
Cloudflare provides automatically learned parameter schemas for all operations in Endpoint Management with a sufficient amount of requests. A learned schema can be inspected using GET.
If you are satisfied with the inspected parameter schema, you can add and activate it using PUT.
Disable Schema Validation
To quickly disable schema validation for a whole zone, use PATCH. This operation will override all operation-mitigation actions.
Was this helpful?
What did you like?
What went wrong?
Thank you for helping improve Cloudflare's documentation!