Skip to content
Firewall
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Require a valid client certificate

Use Cloudflare API Shield™ to protect your API or web application with client-certificate-based encryption.

Before you can use API Shield to protect your API or web application, you must do the following:

This example creates a firewall rule that requires API calls to present a valid client certificate. When the client certificate cannot be verified, the rule triggers the Block action.

The rule includes a compound expression that comprises two simple expressions joined by the and operator.

The first expression uses the http.host field and the in operator to capture the hosts that should be protected — orangeclouded.com and api.orangeclouded.com in this example.

The second expression — not cf.tls_client_auth.cert_verified — returns true when a request to access the API or web application does not present a valid client certificate.

Because the action is Block, only requests that present a valid client certificate can access the specified hosts:

ExpressionAction
(http.host in {"orangeclouded.com" "api.orangeclouded.com"} and not cf.tls_client_auth.cert_verified)Block

To create a mTLS rule that requires a valid client certificate in the Cloudflare dashboard, use the Mutual TLS Rule interface in the Firewall app.