Discover and secure your API endpoints (Free, Pro, and Business)

Once your API is in production and receiving traffic, you need to decide which endpoints to protect first, what restrictions to apply, and how to monitor for abuse without blocking legitimate clients. This guide walks through that process in five stages: inventory your endpoints, enforce encrypted connections, restrict access to expected traffic patterns, block automated abuse, and monitor the results.

The core workflow uses Cloudflare Application Security (also known as Web Application Firewall or WAF) features, SSL/TLS settings, and bot detection, all available on Free, Pro, and Business plans. Enterprise callouts cover API Shield capabilities for teams that need schema validation, JSON Web Token (JWT) validation, and sequence analysis.

Note

Most procedures in this guide are configured per domain or zone. Select your domain in the Cloudflare dashboard before starting.

Know what you are exposing

Before configuring any security rules, build an inventory of your API endpoints. Without a complete list, you cannot target protections at the right paths or detect when an unknown endpoint starts receiving traffic.

Audit your API surface manually

1. Review your application's routing configuration and list every endpoint with its HTTP method and expected parameters.

   AI-assisted endpoint discovery

   Consider using an AI agent to analyze the API routes exposed in your codebase and then generate an OpenAPI schema from the findings.

2. Categorize each endpoint by access level (public, authenticated, internal). Prioritize endpoints that accept file uploads, process payments, or return sensitive data.

   Access level	Description	Example endpoints
   Public	No authentication required	/api/status, /api/products
   Authenticated	Require a token or session	/api/account, /api/orders
   Internal	Should not be publicly accessible	/api/admin, /api/debug

3. Record the inventory in a spreadsheet or OpenAPI schema file for reference when writing rule expressions in later sections. If you already have an OpenAPI specification, you can use it directly with API Shield's schema validation (covered in the Enterprise callout below).

API Shield Endpoint Discovery (Enterprise)

API Shield can automatically discover API endpoints by analyzing your traffic patterns, surfacing endpoints you may not know are being called. This includes abandoned or undocumented endpoints (also known as shadow APIs) that may be unpatched and unmonitored. For more information, refer to API Discovery.

Enforce HTTPS for all API traffic

API requests carry credentials, tokens, and response data that attackers can intercept over unencrypted connections. Some API clients silently downgrade to HTTP if the server accepts it, sending sensitive data in plaintext. Enforcing HTTPS at the edge prevents this.

Set your SSL/TLS encryption mode

Set your encryption mode to Full (Strict) to encrypt traffic between visitors and Cloudflare and between Cloudflare and your origin server. This mode requires a valid certificate on your origin.

1. In the Cloudflare dashboard, go to the SSL/TLS Overview page.

   Go to Overview

2. For SSL/TLS encryption, select Full (Strict).

For more information on encryption modes and their requirements, refer to SSL/TLS encryption modes.

Turn on Always Use HTTPS

Always Use HTTPS redirects all HTTP requests to HTTPS for every subdomain and host in your application. This prevents clients from accidentally sending API requests over unencrypted connections.

Note

If only some parts of your application support HTTPS, do not turn on Always Use HTTPS. Use a single redirect to redirect specific API paths instead. Refer to Redirect admin area requests to HTTPS for an example.

1. In the Cloudflare dashboard, go to the SSL/TLS Overview page.

   Go to Overview

2. Verify that your SSL/TLS encryption mode is not set to Off. The Always Use HTTPS option is not visible when encryption is off.

3. Go to the Edge Certificates page.

   Go to Edge Certificates

4. Turn on Always Use HTTPS.

Set minimum TLS version to 1.2

Since APIs can carry sensitive information, like credentials and tokens, you want to select an appropriate minimum TLS version with this in mind.

TLS 1.0 and 1.1 have known vulnerabilities. Setting the minimum to TLS 1.2 rejects connections from clients using older protocols.

1. In the Cloudflare dashboard, go to the Edge Certificates page.

   Go to Edge Certificates

2. For Minimum TLS Version, select TLS 1.2.

For more information, refer to Minimum TLS Version.

Disable Automatic HTTPS Rewrites for API-only domains

Automatic HTTPS Rewrites changes HTTP links to HTTPS within HTML responses. For API endpoints that return JSON or other non-HTML content, this rewriting is unnecessary and can cause unexpected behavior if API clients follow rewritten URLs. If your domain serves only API traffic, turn off this setting.

1. In the Cloudflare dashboard, go to the Edge Certificates page.

   Go to Edge Certificates

2. Turn off Automatic HTTPS Rewrites.

Note

If your domain serves both a website and an API, keep Automatic HTTPS Rewrites on for the website. The rewriting only applies to HTML responses, so JSON API responses are not affected.

Restrict access to your API endpoints

Legitimate API clients send predictable request patterns: specific HTTP methods, expected headers like Content-Type: application/json, and requests to documented paths. Application Security custom rules let you block traffic that deviates from these patterns. Rate limiting rules cap request volume per client to prevent abuse.

Block requests missing expected headers

API clients typically include a Content-Type header and may include an Authorization header or a custom API key header. Requests to your API paths that lack these headers are not from your expected clients.

The following custom security rule blocks requests to /api/ paths that are missing a Content-Type header. Adjust the path and header checks to match your API.

New dashboard

1. In the Cloudflare dashboard, go to Security > Security rules.

   Go to Security rules

2. Select Create rule > Custom rules.

3. Define the rule name. For example, Block API requests missing Content-Type.

4. In the expression editor, enter:

   (starts_with(http.request.uri.path, "/api/") and not len(http.request.headers["content-type"][0]) > 0)

5. For Choose action, select Block.

6. Select Deploy.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.

2. Go to Security > WAF > Custom rules.

3. Select Create rule.

4. Define the rule name. For example, Block API requests missing Content-Type.

5. In the expression editor, enter:

   (starts_with(http.request.uri.path, "/api/") and not len(http.request.headers["content-type"][0]) > 0)

6. For Choose action, select Block.

7. Select Deploy.

Restrict HTTP methods per endpoint

If your /api/users endpoint only accepts GET and POST requests, block all other HTTP methods on that path. This prevents attackers from probing with PUT, DELETE, or PATCH requests against endpoints that do not support them.

New dashboard

1. In the Cloudflare dashboard, go to Security > Security rules.

   Go to Security rules

2. Select Create rule > Custom rules.

3. Define the rule name. For example, Block unexpected methods on /api/users.

4. In the expression editor, enter:

   (http.request.uri.path eq "/api/users" and http.request.method ne "GET" and http.request.method ne "POST")

   Adjust the path and allowed methods to match your endpoint.

5. For Choose action, select Block.

6. Select Deploy.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.

2. Go to Security > WAF > Custom rules

3. Select Create rule.

4. Define the rule name. For example, Block unexpected methods on /api/users.

5. In the expression editor, enter:

   (http.request.uri.path eq "/api/users" and http.request.method ne "GET" and http.request.method ne "POST")

   Adjust the path and allowed methods to match your endpoint.

6. For Choose action, select Block.

7. Select Deploy.

Repeat this pattern for each endpoint with restricted methods. You can combine multiple paths into a single rule using or operators if they share the same allowed methods.

Tip

Instead of manually creating rules for each endpoint, consider creating a single fallthrough custom rule. You need to:

1. Add your API endpoints to Endpoint Management from a schema or manually.
2. Create a fallthrough rule that blocks requests that do not match a saved endpoint in Endpoint Management.

Rate limit API endpoints

API endpoints receive more targeted abuse than web pages because attackers can call them at machine speed without rendering a browser. Rate limiting caps the number of requests a single client can send within a time window.

Create separate rate limiting rules for authenticated and unauthenticated endpoints. Unauthenticated endpoints (login, registration, password reset) need tighter limits because they are primary targets for credential stuffing and brute force attacks.

The following example limits requests to /api/auth/login to 10 per minute per IP address. Adjust the path, request threshold, and period for your endpoints.

New dashboard

1. In the Cloudflare dashboard, go to the Security rules page.

   Go to Security rules

2. Select Create rule > Rate limiting rules.

3. Enter a descriptive name. For example, Rate limit login endpoint.

4. In the Field drop-down, select URI Path. Set Operator to equals and Value to /api/auth/login.

5. Under With the same characteristics, add IP.

6. Under When rate exceeds, set Requests to 10 and Period to 1 minute.

7. Under Then take action, select Block.

8. Set the Duration (mitigation timeout) to 1 minute.

9. Select Deploy.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and zone.

2. Go to Security > WAF > Rate limiting rules.

3. Select Create rule.

4. Enter a descriptive name. For example, Rate limit login endpoint.

5. In the Field drop-down, select URI Path. Set Operator to equals and Value to /api/auth/login.

6. Under With the same characteristics, add IP.

7. Under When rate exceeds, set Requests to 10 and Period to 1 minute.

8. Under Then take action, select Block.

9. Set the Duration (mitigation timeout) to 1 minute.

10. Select Deploy.

For more information on rate limiting parameters and counting characteristics, refer to Rate limiting parameters.

Note

Rate limiting rules may allow a small number of excess requests before enforcement starts, due to counter propagation delays across data centers. For more information, refer to Request rate calculation.

For an API-specific example using an API key as a counting characteristic, refer to Rate limiting rule examples.

Schema Validation and JWT Validation (Enterprise)

API Shield can validate incoming requests against your OpenAPI schema, blocking requests with unexpected parameters, methods, or content types before they reach your origin. Upload your schema or let Cloudflare learn it from your traffic. For more information, refer to Schema validation.

API Shield can also validate JSON Web Tokens (JWTs) at the edge, rejecting expired, tampered, or invalid tokens before requests reach your origin. This requires adding your JWT issuer's public keys and creating a validation rule. For more information, refer to JSON Web Tokens validation.

Protect against automated API abuse

Bots call API endpoints at machine speed without browser overhead. Common automated attacks against APIs include credential stuffing against authentication endpoints, data scraping through listing endpoints, and inventory manipulation through cart or checkout endpoints.

Turn on Bot Fight Mode (Free)

Note

If you are on a Cloudflare Pro or Business plan, go to the next section. You will configure Super Bot Fight Mode later.

Bot Fight Mode challenges requests that match known bot patterns. It applies to your entire domain and is available on all plans at no additional cost.

New dashboard

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. Filter by Bot traffic.

3. Go to Bot fight mode.

4. Turn Bot fight mode on.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.
2. Go to Security > Bots.
3. For Bot Fight Mode, select On.

Bot Fight Mode may interfere with legitimate automated traffic to your API, such as monitoring tools, CI/CD pipelines, or partner integrations. If you have legitimate bot clients, create an exception rule before turning on Bot Fight Mode (see the next section).

For more information on Bot Fight Mode behavior and limitations, refer to Bot Fight Mode.

Create exception rules for legitimate bot clients (Pro, Business)

If your API receives traffic from known automated clients (monitoring services, partner APIs, CI/CD systems), create a custom security rule with the Skip action to exclude them from bot protections. Create the exception rule before turning on Super Bot Fight Mode in the next section.

New dashboard

1. In the Cloudflare dashboard, go to Security > Security rules.

   Go to Security rules

2. Select Create rule > Custom rules.

3. Define the rule name. For example, Skip bot protections for monitoring service.

4. Build an expression that matches your known bot traffic. For example, to skip protections for requests from a specific IP range with a known User-Agent:

   (ip.src in {203.0.113.0/24} and http.user_agent contains "MonitoringBot")

   Replace the IP range and User-Agent with values that match your legitimate bot clients.

5. For Choose action, select Skip and then select All Super Bot Fight Mode rules.

6. Select Deploy.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.

2. Go to Security > WAF > Custom rules

3. Select Create rule.

4. Define the rule name. For example, Skip bot protections for monitoring service.

5. Build an expression that matches your known bot traffic. For example, to skip protections for requests from a specific IP range with a known User-Agent:

   (ip.src in {203.0.113.0/24} and http.user_agent contains "MonitoringBot")

   Replace the IP range and User-Agent with values that match your legitimate bot clients.

6. For Choose action, select Skip and then select All Super Bot Fight Mode rules.

7. Select Deploy.

Note

Place exception rules above (before) enforcement rules in your rule list. Cloudflare evaluates custom rules in order, and the first matching rule with a terminating action stops evaluation. For more information, refer to Rule execution order.

Configure Super Bot Fight Mode (Pro, Business)

Super Bot Fight Mode provides granular controls that apply across your domain, allowing you to apply different actions to different bot types.

Note

If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings.

• Old dashboard: Security > Bots, and select Configure Bot Fight Mode.
• New dashboard: Security > Settings. Filter by Bot traffic and turn Bot fight mode off.

To configure Super Bot Fight Mode:

New dashboard

1. In the Cloudflare dashboard, go to the Security Settings page.

   Go to Settings

2. Filter by Bot traffic.

3. Go to Super Bot fight mode.

4. Turn Super Bot fight mode on.

5. Choose how your domain should respond to various types of traffic by selecting the associated edit icon:

   • For more details on verified bots, refer to Verified Bots.
   • For more details on supported file types, refer to Static resource protection.
   • For more details on invisible code injection, refer to JavaScript detections.
   • For more details on WordPress optimization, refer to Super Bot Fight Mode for WordPress.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and domain.

2. Go to Security > Bots.

3. Select Configure Super Bot Fight Mode.

4. Choose how your domain should respond to various types of traffic:

   • For more details on verified bots, refer to Verified Bots.
   • For more details on supported file types, refer to Static resource protection.
   • For more details on invisible code injection, refer to JavaScript detections.
   • For more details on WordPress optimization, refer to Super Bot Fight Mode for WordPress.

With Super Bot Fight Mode, you can configure different actions for different bot types:

• Block or allow verified bots
• Configure a separate action (allow, block, or challenge) for Definitely automated traffic (bot score of 1)
• On Business plans and above: Configure a separate action for Likely automated traffic (bot score of 2-29)

Super Bot Fight Mode applies domain-wide and does not support path-specific rules. If you need to apply different bot thresholds to different API paths, you need a Bot Management subscription (Enterprise).

Bot score in custom rules (Enterprise)

With a Bot Management subscription, you can write custom rules using cf.bot_management.score to set path-specific thresholds. For example, block requests with a bot score below 30 on /api/auth paths while allowing all scores on other API paths. For more information, refer to Bot Management.

Detect leaked credentials on login endpoints

Application Security leaked credentials detection checks incoming requests for username and password combinations that appeared in known data breaches. Use this detection to rate limit or challenge requests containing compromised credentials on your authentication endpoints.

Note

Access to the cf.waf.credential_check.username_and_password_leaked field (User and Password Leaked) requires a Pro plan or above. If you are on a Free plan, use the cf.waf.credential_check.password_leaked field (Password Leaked) instead, which indicates whether the password detected in the request was previously leaked.

The following rate limiting rule limits requests that contain a previously leaked username and password combination to 5 per minute per IP:

Setting	Value
Expression	cf.waf.credential_check.username_and_password_leaked
Counting characteristics	IP
Requests per period	5 requests / 1 minute
Action	Block

For the full expression including account takeover (ATO) detection IDs, refer to Example mitigation rules.

Sequence Analytics and sequence mitigation custom rules (Enterprise)

API Shield tracks the order of API endpoint requests over time, grouping important user journeys (sequences) across your API. Sequences with high precedence scores indicate requests that are likely to occur together in order. Anomalous sequences may indicate automated abuse, such as a bot that calls /auth, then /account, then /transfer in rapid succession. For more information, refer to Sequence Analytics.

Enterprise users with a Fraud Detection subscription can also create sequence mitigation custom rules to mitigate invalid sequences of API calls.

Monitor your API traffic

After deploying your security rules, review the results to identify false positives and tune your thresholds. False positives (legitimate clients being blocked) and false negatives (abuse getting through) both require adjustments.

Review Security Events for API paths

Security Events shows every request that your rules matched, including the action taken and the rule that triggered it. Filter by your API path prefix to see what Cloudflare is blocking and why.

New dashboard

1. In the Cloudflare dashboard, go to the Analytics page.

   Go to Analytics

2. Select the Events tab.

3. Add a filter for URI Path starts with /api/.

4. Review the events. Look for legitimate clients that are being blocked (false positives). Common indicators of false positives:

   • Requests from known partner IP addresses
   • Requests with valid API keys or authorization headers
   • Requests from monitoring services with known User-Agent strings

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and zone.
2. Go to Security > Events.
3. Add a filter for URI Path starts with /api/.
4. Review the events. Look for legitimate clients that are being blocked (false positives). Common indicators of false positives:
   • Requests from known partner IP addresses
   • Requests with valid API keys or authorization headers
   • Requests from monitoring services with known User-Agent strings

If you find false positives, update your custom rules to exclude the affected traffic. Refer to the exception rule procedure in an earlier section.

Tune rate limiting thresholds

Rate limiting thresholds that are too tight block legitimate clients. Thresholds that are too loose allow abuse. Review rate limiting events in Security Events to find the right balance.

New dashboard

1. In the Cloudflare dashboard, go to the Analytics page.

   Go to Analytics

2. Select the Events tab.

3. Filter by Action equals Block and Service equals Rate limiting.

4. Check whether blocked requests come from legitimate clients or abusive traffic.

5. If legitimate clients are being rate limited, edit the relevant rate limiting rule to increase the request threshold or widen the time period for the affected rule.

6. If abusive traffic is getting through, lower the rule threshold or narrow the time period.

Old dashboard

1. Log in to the Cloudflare dashboard ↗, and select your account and zone.
2. Go to Security > Events.
3. Filter by Action equals Block and Service equals Rate limiting.
4. Check whether blocked requests come from legitimate clients or abusive traffic.
5. If legitimate clients are being rate limited, edit the relevant rate limiting rule to increase the request threshold or widen the time period for the affected rule.
6. If abusive traffic is getting through, lower the rule threshold or narrow the time period.

Security Analytics rate analysis requires an Enterprise plan

Enterprise customers can use the Request rate analysis tab in Security Analytics to visualize request rate distributions and the Log action to observe rule matches without taking action. On other plans, estimate thresholds based on your expected traffic patterns. Refer to Find an appropriate rate limit for the full methodology.

Set up notifications for security event spikes

Cloudflare Notifications can alert you when security event volume exceeds a threshold, indicating a potential attack or a misconfigured rule.

1. In the Cloudflare dashboard, go to the Notifications page.

   Go to Notifications

2. Select Add.

3. Filter by WAF and select Security Events Alert.

4. Define a name for the notification and the delivery method (email, webhook, or PagerDuty).

5. Next, configure the domains for which you want to receive notifications. You can also filter events by a targeted action (for example, Block or Skip).

6. Select Create.

For the full list of available notification types, refer to Available notifications.

Advanced security events notifications (Enterprise)

Enterprise customers have access to the Advanced Security Events Alert notification type, which includes an additional filter for the app security services the alert should monitor.

Related resources

Application Security

• Custom rules — Create rules based on request attributes to block, challenge, or skip specific security features for targeted traffic
• Rate limiting rules — Define request rate thresholds per client and choose enforcement actions
• Rate limiting best practices — Common rate limiting patterns for credential stuffing, API protection, and GraphQL
• Rate limiting rule examples — Example rules with expressions for login pages, API keys, and complexity-based limiting
• Security features interoperability — How custom rules, rate limiting rules, Super Bot Fight Mode, and Managed Rules interact
• Leaked credentials detection — Detect requests containing credentials from known data breaches
• Security Events — Review matched requests and rule actions

Bots

• Bot Fight Mode — Automatic challenge for requests matching known bot patterns (Free plan)
• Super Bot Fight Mode — Granular bot controls including verified bot allowlisting (Pro, Business, Enterprise)
• Bot Management — Bot score, detection IDs, and custom rule templates (Enterprise)
• Bot Management variables — Fields available in rule expressions for bot detection (Enterprise)

SSL/TLS

• Get started with SSL/TLS — Edge certificates, encryption modes, and HTTPS enforcement
• Always Use HTTPS — Redirect all HTTP requests to HTTPS
• Minimum TLS Version — Reject connections using older TLS protocols

API Shield (Enterprise)

• API Shield overview — Discovery, schema validation, JWT validation, and sequence analytics for API security
• Get started with API Shield — Onboarding flow from session identifiers through schema validation
• API Discovery — Automatic endpoint discovery from traffic analysis
• Schema validation — Validate incoming requests against your OpenAPI schema
• JWT validation — Verify JSON Web Tokens at the edge
• Sequence Analytics — Track and analyze API request sequences
• Volumetric Abuse Detection — Per-session, per-endpoint adaptive rate limiting
• Authentication Posture — helps users identify authentication misconfigurations for APIs and alerts of their presence
• BOLA vulnerability detection — Detect endpoints at risk of Broken Object Level Authorization (BOLA) attacks
• Vulnerability Scanner — Test your API endpoints for common vulnerabilities