Configure Schema Validation
Before you can configure Schema Validation for an API, you must obtain its API Schema file. API Shield supports API Schemas using OpenAPI Specification v3. The accepted file formats are YAML (files with a
.yaml file extension) and JSON (files with a
.json file extension).
Create an API Shield with Schema Validation
To configure Schema Validation in the Cloudflare dashboard, follow these steps:
Log in to your Cloudflare account Home page and click the zone containing the host for which you want to configure Schema Validation.
Click the Firewall app.
The Firewall Overview displays.
Click the API Shield tab.
The API Shield card displays.
Click Deploy API Shield.
The API Shield creation wizard displays.
Enter a descriptive name for the API Shield in the Shield name input.
Configure the expression for the API Shield using the available request fields.
For example, if your API is available at
http://api.example.com/v1, the expression must include a check for the Hostname field (which must be equal to
api.example.com) and a check for the URI Path field using a regular expression (which must match the regex
The Security solution step displays.
Enable the toggle in the Schema Validation card.
Upload the API Schema file in Upload API Schema by selecting a file or dragging a file to the file upload area (dashed rectangle).
Click Deploy to validate the content of the schema file and deploy the Schema Validation rule.
After deploying your API Shield rule, Cloudflare displays a summary of all API endpoints organized by their protection level and what will be the actions taken for non-compliant and unprotected requests.
The API Shield rule will validate all incoming requests addressed at the endpoints listed in API Schema endpoints. The several columns in the table list the validations deployed for each endpoint, according to the information described in the API Schema file.
In the Endpoint action dropdown, select the action that API Shield will perform for every request targeting a protected endpoint that fails Schema Validation.
In the Fallthrough action dropdown, select the action to perform for incoming requests addressed at other (non-protected) API endpoints.
The API Shield wizard closes and the API Shield card displays with your new API Shield in the list.