Skip to content
Visit Firewall on GitHub
Set theme to dark (⇧+D)

API Shield™

Cloudflare API Shield makes it easy to secure APIs with strong client-certificate-based encryption. Support includes gRPC-based APIs, which use binary formats such as protocol buffers rather than JSON.

A positive security model for APIs

Implementing a positive security model for APIs is the most direct way to eliminate credential stuffing attacks and deny access to automated scanning tools. The first step towards a positive model is deploying strong authentication such as mutual TLS (mTLS) authentication, which is not vulnerable to password reuse or sharing.

Mutual TLS authentication uses client certificates to ensure that traffic between client and server is bidirectionally secure and trusted. It also allows requests that do not authenticate via an identity provider, such as Internet-of-things (IoT) devices, to demonstrate they can reach a given resource.

mTLS sequence diagram

Use Cloudflare API Shield

Cloudflare API Shield simplifies the deployment and enforcement of mTLS authentication and is available to all Cloudflare plans.

To protect your application with API Shield, use this workflow:

  1. Enable mTLS for the hosts you wish to protect with API Shield.

  2. Use Cloudflare's fully hosted public key infrastructure (PKI) to create a client certificate in the Cloudflare dashboard.

  3. Create Cloudflare firewall rules that require API requests to present a valid client certificate. The Firewall app in the Cloudflare dashboard provides a dedicated interface where you can create API Shield rules.

  4. Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.