Skip to content
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Require a valid client certificate

Use Cloudflare API Shield™ to protect your API or web application with client-certificate-based encryption.

Before you can use API Shield to protect your API or web application, you must do the following:

This example creates a firewall rule that requires API calls to present a valid client certificate. When the client certificate cannot be verified, the rule triggers the Block action.

The rule includes a compound expression that comprises two simple expressions joined by the and operator.

The first expression uses the field and the in operator to capture the hosts that should be protected — and in this example.

The second expression — not cf.tls_client_auth.cert_verified — returns true when a request to access the API or web application does not present a valid client certificate.

Because the action is Block, only requests that present a valid client certificate can access the specified hosts:

( in {"" ""} and not cf.tls_client_auth.cert_verified)Block

To create a mTLS rule that requires a valid client certificate in the Cloudflare dashboard, use the Mutual TLS Rule interface in the Firewall app.