Skip to content
Visit Firewall on GitHub
Set theme to dark (⇧+D)

API Shield™

Cloudflare API Shield allows you to secure your APIs using the following security solutions:

  • Mutual TLS (mTLS) — Blocks traffic from devices that do not have a valid client SSL/TLS certificate with an API Shield rule.
  • Schema Validation — Protects your origin from invalid API requests or a malicious payload by matching each request with the provided schema.

A positive security model for APIs

Implementing a positive security model for APIs is the most direct way to eliminate credential stuffing attacks and deny access to automated scanning tools. Unlike the security model followed by firewalls, in a positive security model you define the requirements and admissible behavior of incoming traffic. The only allowed requests are the ones that comply with the defined rules.

Cloudflare API Shield follows a positive security model.

Mutual TLS (mTLS)

Mutual TLS (mTLS) authentication uses client certificates to ensure that traffic between client and server is bidirectionally secure and trusted. It also allows requests that do not authenticate via an identity provider, such as Internet-of-things (IoT) devices, to demonstrate they can reach a given resource.

mTLS sequence diagram

Support includes gRPC-based APIs, which use binary formats such as protocol buffers rather than JSON.

Specify the API hosts and Cloudflare will block all requests that do not have a certificate for mutual TLS (mTLS) authentication.

Configuring mTLS

To protect your application with mTLS authentication, use this workflow:

  1. Use Cloudflare's fully hosted public key infrastructure (PKI) to create a client certificate in the Cloudflare dashboard.

  2. Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.

  3. Enable mTLS for the hosts you wish to protect.

  4. Create Cloudflare firewall rules that require API requests to present a valid client certificate. The Firewall app in the Cloudflare dashboard provides a dedicated interface where you can create mTLS rules.

Schema Validation

An API Schema defines which API requests are valid based on several request properties like target endpoint and HTTP method.

Schema Validation allows you to check if incoming traffic complies with a previously supplied API Schema. When you provide an API Schema, API Shield creates rules for incoming traffic from the schema definitions. These rules define which traffic is allowed and which traffic gets logged or blocked.

API Shield supports API Schemas using OpenAPI Specification v3. The accepted file formats are YAML (.yml or .yaml file extension) and JSON (.json file extension).

To configure Schema Validation for one or more hosts using the dashboard, check Configure Schema Validation.

Operation IDs

Cloudflare Schema Validation requires unique Operation IDs for each endpoint and method pair defined in the schema. If there are Operation IDs missing, the schema will be rejected. Operation ID is used to keep track of changes to the same endpoints when updating schemas, and also to label logs in Firewall Events with the right endpoint and method. Cloudflare supports Operation IDs with a maximum size of 32 characters.