Skip to content
Firewall
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Configure Schema Validation

Use the API Shield interface to configure API Schema Validation which validates requests according to the API Schema you provide.

Before you can configure Schema Validation for an API, you must obtain its API Schema file. API Shield supports API Schemas using OpenAPI Specification v3. The accepted file formats are YAML (files with a .yml or .yaml file extension) and JSON (files with a .json file extension).

Create an API Shield with Schema Validation

To configure Schema Validation in the Cloudflare dashboard, follow these steps:

  1. Log in to your Cloudflare account Home page and click the zone containing the host for which you want to configure Schema Validation.

  2. Click the Firewall app.

    The Firewall Overview displays.

    Firewall Overview tab

  3. Click the API Shield tab.

    The API Shield card displays.

    API Shield card

  4. Click Deploy API Shield.

    The API Shield creation wizard displays.

    API Shield Properties wizard step

  5. Enter a descriptive name for the API Shield in the Shield name input.

  6. Configure the expression for the API Shield using the available request fields.

    For example, if your API is available at http://api.example.com/v1, the expression must include a check for the Hostname field (which must be equal to api.example.com) and a check for the URI Path field using a regular expression (which must match the regex ^/v1).

  7. Click Next.

    The Security solution step displays.

    API Shield Security solution wizard step

  8. Enable the toggle in the Schema Validation card.

  9. Upload the API Schema file in Upload API Schema by selecting a file or dragging a file to the file upload area (dashed rectangle).

  10. Click Deploy to validate the content of the schema file and deploy the Schema Validation rule.

  11. After deploying your API Shield rule, Cloudflare displays a summary of all API endpoints organized by their protection level and what will be the actions taken for non-compliant and unprotected requests.

    API Shield Review endpoints wizard step

    The API Shield rule will validate all incoming requests addressed at the endpoints listed in API Schema endpoints. The several columns in the table list the validations deployed for each endpoint, according to the information described in the API Schema file.

  12. In the Endpoint action dropdown, select the action that API Shield will perform for every request targeting a protected endpoint that fails Schema Validation.

  13. In the Fallthrough action dropdown, select the action to perform for incoming requests addressed at other (non-protected) API endpoints.

  14. Click Done.

The API Shield wizard closes and the API Shield card displays with your new API Shield in the list.