Changelog
New API Posture Management for API Shield
Now, API Shield automatically labels your API inventory with API-specific risks so that you can track and manage risks to your APIs.
View these risks in Endpoint Management by label:
...or in Security Center Insights:
API Shield will scan for risks on your API inventory daily. Here are the new risks we're scanning for and automatically labelling:
- cf-risk-sensitive: applied if the customer is subscribed to the sensitive data detection ruleset and the WAF detects sensitive data returned on an endpoint in the last seven days.
- cf-risk-missing-auth: applied if the customer has configured a session ID and no successful requests to the endpoint contain the session ID.
- cf-risk-mixed-auth: applied if the customer has configured a session ID and some successful requests to the endpoint contain the session ID while some lack the session ID.
- cf-risk-missing-schema: added when a learned schema is available for an endpoint that has no active schema.
- cf-risk-error-anomaly: added when an endpoint experiences a recent increase in response errors over the last 24 hours.
- cf-risk-latency-anomaly: added when an endpoint experiences a recent increase in response latency over the last 24 hours.
- cf-risk-size-anomaly: added when an endpoint experiences a spike in response body size over the last 24 hours.
In addition, API Shield has two new 'beta' scans for Broken Object Level Authorization (BOLA) attacks. If you're in the beta, you will see the following two labels when API Shield suspects an endpoint is suffering from a BOLA vulnerability:
- cf-risk-bola-enumeration: added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions.
- cf-risk-bola-pollution: added when an endpoint experiences successful responses where parameters are found in multiple places in the request.
We are currently accepting more customers into our beta. Contact your account team if you are interested in BOLA attack detection for your API.
Refer to the blog post ↗ for more information about Cloudflare's expanded posture management capabilities.
New automatically applied risk labels
API Shield now automatically labels endpoints with risks due to missing schemas and performance anomalies (spikes in error rates, latency, and body response sizes).
API Authentication Posture
Customers will see per-endpoint authentication details inside API Shield's Endpoint Management for zones with configured session identifiers.
Automatically applied endpoint risk labels
API Shield now automatically labels endpoints with risks due to authentication status and sensitive data detection.
Endpoint labels
Customers can now organize their endpoints by use case and custom labels in Endpoint Management for easy reference and future machine learning (ML) model training.
API Shield fields in Custom Rules
Customers can now use API Shield product feature fields in custom rules, referencing features such as JWT Validation, session identifiers, and Schema Validation.
Fallthrough rule for Schema Validation 2.0
Customers can now enable the Fallthrough Action for Schema Validation 2.0 to block or log requests that do not match the endpoints listed in schemas protected by Schema Validation 2.0.
Increased capacity for Endpoint Management and Schema Validation
Endpoint Management and Schema Validation now support up to 10,000 saved and validated API endpoints.
API Discovery's hostname variables
Customers can now see when API Discovery groups similar subdomains with the same methods and paths, making it easy to discover and manage APIs that share many vanity domains or subdomains.
Route API requests using API Routing
Customers can now route requests to different back-end services through API Routing, creating a unified front for their APIs distributed across otherwise disparate systems.
Use JWT claims in Advanced Rate Limiting, Transform Rules, and as session IDs
Customers can now use the fields inside JSON Web Tokens (known as claims) as session identifiers in API Shield, to count values in Advanced Rate Limiting, and to send on useful information in Transform Rules.
Build Sequence Mitigation rules via the Cloudflare dashboard
Customers can now build Sequence Mitigation rules with a new user interface inside the API Shield section of the Cloudflare dashboard ↗.
Endpoint Management supports hostname variables
Customers can now save endpoints in Endpoint Management that contain variables in the hostname. Hostname variables are supported across all product features.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark