Skip to content
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Require a valid client certificate

Use Cloudflare API Shield™ to protect your API or web application with client-certificate-based encryption.

Before you can use API Shield to protect your API or web application, you must do the following:

This example creates a firewall rule that requires API calls to present a valid client certificate. When the client certificate cannot be verified, the rule triggers the Block action.

The rule includes a compound expression that comprises two simple expressions joined by the and operator.

The first expression uses the field and the in operator to capture the hosts that should be protected— and in this example.

The second expression—not cf.tls_client_auth.cert_verified—returns true when a request to access the API or web application does not present a valid client certificate.

Because the action is Block, only requests that present a valid client certificate can access the specified hosts:

( in {"" ""} and not cf.tls_client_auth.cert_verified)Block

To create an API Shield rule that requires a valid client certificate in the Cloudflare dashboard, use the API Shield Rule interface in the Firewall app.