Cloudflare API Shield allows you to secure your APIs using the following security solutions:
- Mutual TLS (mTLS) — Blocks traffic from devices that do not have a valid client SSL/TLS certificate with an API Shield rule.
- Schema Validation — Protects your origin from invalid API requests or a malicious payload by matching each request with the provided schema.
A positive security model for APIs
Implementing a positive security model for APIs is the most direct way to eliminate credential stuffing attacks and deny access to automated scanning tools. Unlike the security model followed by firewalls, in a positive security model you define the requirements and admissible behavior of incoming traffic. The only allowed requests are the ones that comply with the defined rules.
Cloudflare API Shield follows a positive security model.
Mutual TLS (mTLS)
Mutual TLS (mTLS) authentication uses client certificates to ensure that traffic between client and server is bidirectionally secure and trusted. It also allows requests that do not authenticate via an identity provider, such as Internet-of-things (IoT) devices, to demonstrate they can reach a given resource.
Specify the API hosts and Cloudflare will block all requests that do not have a certificate for mutual TLS (mTLS) authentication.
To protect your application with mTLS authentication, use this workflow:
An API Schema defines which API requests are valid based on several request properties like target endpoint and HTTP method.
Schema Validation allows you to check if incoming traffic complies with a previously supplied API Schema. When you provide an API Schema, API Shield creates rules for incoming traffic from the schema definitions. These rules define which traffic is allowed and which traffic gets logged or blocked.
API Shield supports API Schemas using OpenAPI Specification v3. The accepted file formats are YAML (
.yaml file extension) and JSON (
.json file extension).
Cloudflare Schema Validation requires unique Operation IDs for each endpoint and method pair defined in the schema. If there are Operation IDs missing, the schema will be rejected. Operation ID is used to keep track of changes to the same endpoints when updating schemas, and also to label logs in Firewall Events with the right endpoint and method. Cloudflare supports Operation IDs with a maximum size of 32 characters.