While API security is increasingly being exposed to cyber threats, Cloudflare has come up with a solution. Recently, Cloudflare has launched its API security tool ‘API Shield’ as a free tool.
Cloudflare Launched API Shield
As announced via a recent blog post, Cloudflare has introduced API Shield – a dedicated API protection tool for all. The service will be available to all Cloudflare users regardless of the plans for no extra cost.
Briefly, Cloudflare has implemented a few main features in the API Shield to protect Application Programming Interfaces (APIs).
The first of these is the “Positive Security” model that works conversely to a WAF. As described, this model will only allow known behavior whilst blocking everything else (something similar to whitelisting). Whereas, the WAF works on the “negative security” model that blocks problematic behaviors only.
Cloudflare believes that implementing positive security will prevent automated scanners and credential stuffing attack noise.
Also, they have simplified the process of client certificate issuance.
The other notable feature with API Shield is schema validation on requests. Cloudflare describes it as follows,
API Schema validation works by matching the contents of API requests—the query parameters that come after the URL and contents of the POST body—against a contract or “schema” that contains the rules for what is expected. If validation fails, the API call is blocked protecting the origin from an invalid request or a malicious payload.
Presently, schema validation is available as beta for JSON payloads. In the future, it will be available with the API Shield UI. Also, Cloudflare plans to extend this to include gRPC/protocol buffer support.
Cloudflare has demonstrated API Shield implementation in their post.
Cloudflare has pledged to consider users’ feedback on schema validation presently in the beta program. They will then roll it out accordingly to all users in the future.
Also, they plan to offer users the ability to import their own CA, something currently available with Cloudflare Access.
Users can also share any other API security ideas with them.