Cloudflare API Shield
41 Replies
I hope Cloudflare makes it available to Pro during Birthday Week as having API Shield in any means would make the internet a more safe place
π This would be so useful for smaller customers
Yea it's pretty cool. I haven't played around with it too much, but the docs and blogs are pretty extensive on it:
It has schema validation, you can upload a schema to it (I think OpenAI) and have it block or log traffic that doesn't conform to it:
https://developers.cloudflare.com/api-shield/security/schema-validation/
You can have it enforce specific request patterns/sequences:
https://developers.cloudflare.com/api-shield/security/sequence-mitigation/
Like for example, if your app on transferring money is always:
Get Accounts -> Get Balance -> Transfer, you can block requests out of that order
For DDoS Attacks specifically, other then schema or sequence mitigation, it can also verify JSON Web Tokens for you (https://developers.cloudflare.com/api-shield/security/jwt-validation/) and auto-suggest rate limiting rules based on traffic
https://www.youtube.com/watch?v=wWkjqxHCfEI
π This is literally needed in Pro, hell even a limited version without analytics and ratelimiting functionality would be nice for Free.
Ratelimiting in Free & Pro is pretty much near useless due to how limiting it is.
You only get two rules in Pro which is even more limiting than Free WAF π
Like when I heard Cloudflare revamped rate-limiting to not charge per request, I was hyped UNTIL I saw how bad it was for non-enterprise customers, and even still limiting on Business
The rate limiting it uses is the same, it just generates a rule for you
Yeah, it's smart
kind of
It doesn't adapt when under attack
but learns what's best for you
You'd have Enterprise Rate limiting though, if you had API Shield, of course you'd have a lot more options/settings
Which is amazing
I still feel rate-limiting could use a boost for non-Enterprise customers as well as allowing API Shield for non-Enterprise customers
Power to the people πͺ
what's limiting with Pro Rate Limiting? You have pretty good options.
For free I agree, you don't even have Path, but Pro has path and most useful fields
Limited amount of rules, pre set timespans (You can't even change the time in Enterprise to be a custom amount afaik), no ability to give specific ASNs different ratelimits, etc
Would be extra useful to give known hosts that majority of its customers are botnets and not generally used for VPNs either way, it would be amazing
Do you know if Pro can even change "Block" to Managed Challenge?
eeh rate limiting different ASNs is kind of sketchy though, you'd run into issues
I thought Cloudflare was dead-set on eliminating captchas or false positives you know
Issue with rate-limiting is if its on a API and uses Managed Challenge, how the hell will it work if its being interacted on a front end
Manage Challenges set a specific header (I want to say it's cf-mitigated), which you can check for.
Otherwise, that's why you use block
This is options on a Pro account
Personally I use Block with custom json that my front end understands and can show a helpful "Slow down/back off" message
Not from my testing as if I issue a Managed Challenge on my API hostname with WAF, it will cause errors on my API if interacted directly on my Cloudflare Pages website
If Rate-limiting rules could also interact with specific WAF Rules that'd be cool
Country-specific ratelimits isn't really bad either
What if your product doesn't support specific countries? Sure you can block them, but that's bad business
Ratelimiting them harder or at all would still help prevent some requests
Ah.
I haven't used Pro in a while as we are currently revamping our product so you know yeah
Better to not pay when you don't need it
I still think the amount of rules is rather limiting
Challenge bad ASNs or countries imo
I do.
But rate-limiting would be more useful for a API
I think your use case of trying to have different rate limits for specific countries or ASNs is kind of weird/not normal
it'd be really confusing for users
espec if it's a non-user facing API
π€·ββοΈ
There's also other use cases for it.
I use APIs from other companies for a variety of things that do not have a ip list or custom ASN
So if they do add a new IP, I cannot simply automatically have it on a specific ratelimit on the edge
π€·ββοΈ
I still want API Shield to be on Pro & Business π
I think Discord's use is more the intended design of it
Looks epic as hell
They have a few global rate limits, using CF, and application specific ones based on tokens
It may be worth keeping in mind as well the rate limits are all only stored per colo
For a non-user facing API, is there any way to tell if the request is from visiting it or from the website itself with WAF or even API Shield?
Headers are easily spoofable so that wouldn't be so reliable.
If they're accessing it from the website itself, then it is user facing
Well then for user-facing
Would it be possible
There's a field in WAF, from API Shield called Javascript Detections
https://developers.cloudflare.com/bots/reference/javascript-detections/
You can tell if someone has passed JS Detections, it's meant for this specific purpose
JavaScript detections Β· Cloudflare bot solutions docs
JavaScript detections are another method that help Cloudflare identify bot requests.
When adding this field to Firewall rules, use it: On endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints). After a userβs first request to your application (Cloudflare needs at least one HTML request before injecting JavaScript detection). With the Managed Challenge action, because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps).
I beg Cloudflare to make API Shield in Pro during Birthday Week, π
actually that's from Enterprise Bot Management which is a requirement for API Shield afaik
pain
Real question is when they will actually make SSL-Only Origin Pull for non-enterprise customers like they promised last years birthday week
there's a weird tangled web of requirements for some of these enterprise features, that I do not fully understand lol
hopefully eventually
That's annoying, API Shield is an amazing product that definitely IS NEEDED in this day and age for any business, small or large.
for now enabling Always Use HTTPS and full (strict) is the same thing, no http requests would ever hit your origin
Could also enable HSTS along w/ that
Browsers might respect that and instantly redirect but headless clients likely wouldn't
The only advantage of SSL-only origin pull is that even HTTP Requests get sent to your origin over HTTPS (where Full strict would send http to origin if an http request goes through to Cloudflare)
Always use HTTPS always redirects all requests to HTTPS first, not doing an origin request, thus your origin never gets an plain http request
almost forgot, Cloudflare does have a product for this as well:
https://developers.cloudflare.com/ddos-protection/managed-rulesets/adaptive-protection/
Adaptive DDoS Protection, based on country/region, Origin Errors or User Agents:
https://blog.cloudflare.com/adaptive-ddos-protection/
It's Enterprise only, sadly, but they are aware it's something people want/to defend against
I'll be honest, I'd rather have API Shield than even Adaptive Protection π
I should be able to handle any leakage from HTTP DDos Protection as well as Firewall Rules, but if I had API Shield then I'd be pretty much immune to attacks so long as the product works as intended.
Currently I see upwards to 15-35% leakage from HTTP DDos Protection from an actual attack, not some github script kid
how do I implement such a thing with Cloudflare?
Are any API Sheild services available for PRO customers?
A lot of name changes has occurred so not sure how accurete this document is, would be nice if it were updated, or state that it is only for Enterprise customers, leaving solo developers crying in the dark.
https://blog.cloudflare.com/api-gateway/
The Cloudflare Blog
Announcing the Cloudflare API Gateway
Today weβre announcing the Cloudflare API Gateway. Weβre going to completely replace your existing gateway at a fraction of the cost
The only thing non-ent has from the products talked about in that blog is mTLS
Whats the alternate solution
- Built out the API routes in workers
- Add _middleware.js to protect checking jwt tokens