Cloudflare API Shield

Honestly, I'm guessing this is a Enterprise only product, it is a Enterprise only product, and I don't want to dish out $3000 and any more for the additional addon πŸ˜† , but I'm curious on its extent of implementation? Does it span to also protect APIs against DDos Attacks? Such as preventing requests on specific endpoints from directy visiting it with a browser. For example, a Get User Information endpoint meant to be used by your user dashboard javascript, but not visited directly?
41 Replies
! Julius Cole
! Julius ColeOPβ€’16mo ago
I hope Cloudflare makes it available to Pro during Birthday Week as having API Shield in any means would make the internet a more safe place
! Julius Cole
! Julius ColeOPβ€’16mo ago
😭 This would be so useful for smaller customers
No description
Chaika
Chaikaβ€’16mo ago
Yea it's pretty cool. I haven't played around with it too much, but the docs and blogs are pretty extensive on it: It has schema validation, you can upload a schema to it (I think OpenAI) and have it block or log traffic that doesn't conform to it: https://developers.cloudflare.com/api-shield/security/schema-validation/ You can have it enforce specific request patterns/sequences: https://developers.cloudflare.com/api-shield/security/sequence-mitigation/ Like for example, if your app on transferring money is always: Get Accounts -> Get Balance -> Transfer, you can block requests out of that order For DDoS Attacks specifically, other then schema or sequence mitigation, it can also verify JSON Web Tokens for you (https://developers.cloudflare.com/api-shield/security/jwt-validation/) and auto-suggest rate limiting rules based on traffic https://www.youtube.com/watch?v=wWkjqxHCfEI
! Julius Cole
! Julius ColeOPβ€’16mo ago
😭 This is literally needed in Pro, hell even a limited version without analytics and ratelimiting functionality would be nice for Free. Ratelimiting in Free & Pro is pretty much near useless due to how limiting it is. You only get two rules in Pro which is even more limiting than Free WAF πŸ’€ Like when I heard Cloudflare revamped rate-limiting to not charge per request, I was hyped UNTIL I saw how bad it was for non-enterprise customers, and even still limiting on Business
Chaika
Chaikaβ€’16mo ago
The rate limiting it uses is the same, it just generates a rule for you
! Julius Cole
! Julius ColeOPβ€’16mo ago
Yeah, it's smart kind of It doesn't adapt when under attack but learns what's best for you
Chaika
Chaikaβ€’16mo ago
You'd have Enterprise Rate limiting though, if you had API Shield, of course you'd have a lot more options/settings
! Julius Cole
! Julius ColeOPβ€’16mo ago
Which is amazing I still feel rate-limiting could use a boost for non-Enterprise customers as well as allowing API Shield for non-Enterprise customers Power to the people πŸ’ͺ
Chaika
Chaikaβ€’16mo ago
what's limiting with Pro Rate Limiting? You have pretty good options. For free I agree, you don't even have Path, but Pro has path and most useful fields
! Julius Cole
! Julius ColeOPβ€’16mo ago
Limited amount of rules, pre set timespans (You can't even change the time in Enterprise to be a custom amount afaik), no ability to give specific ASNs different ratelimits, etc Would be extra useful to give known hosts that majority of its customers are botnets and not generally used for VPNs either way, it would be amazing Do you know if Pro can even change "Block" to Managed Challenge?
Chaika
Chaikaβ€’16mo ago
eeh rate limiting different ASNs is kind of sketchy though, you'd run into issues
! Julius Cole
! Julius ColeOPβ€’16mo ago
I thought Cloudflare was dead-set on eliminating captchas or false positives you know Issue with rate-limiting is if its on a API and uses Managed Challenge, how the hell will it work if its being interacted on a front end
Chaika
Chaikaβ€’16mo ago
Manage Challenges set a specific header (I want to say it's cf-mitigated), which you can check for. Otherwise, that's why you use block
Chaika
Chaikaβ€’16mo ago
This is options on a Pro account
No description
Chaika
Chaikaβ€’16mo ago
Personally I use Block with custom json that my front end understands and can show a helpful "Slow down/back off" message
! Julius Cole
! Julius ColeOPβ€’16mo ago
Not from my testing as if I issue a Managed Challenge on my API hostname with WAF, it will cause errors on my API if interacted directly on my Cloudflare Pages website If Rate-limiting rules could also interact with specific WAF Rules that'd be cool Country-specific ratelimits isn't really bad either What if your product doesn't support specific countries? Sure you can block them, but that's bad business Ratelimiting them harder or at all would still help prevent some requests Ah. I haven't used Pro in a while as we are currently revamping our product so you know yeah Better to not pay when you don't need it I still think the amount of rules is rather limiting
Chaika
Chaikaβ€’16mo ago
Challenge bad ASNs or countries imo
! Julius Cole
! Julius ColeOPβ€’16mo ago
I do. But rate-limiting would be more useful for a API
Chaika
Chaikaβ€’16mo ago
I think your use case of trying to have different rate limits for specific countries or ASNs is kind of weird/not normal it'd be really confusing for users espec if it's a non-user facing API
! Julius Cole
! Julius ColeOPβ€’16mo ago
πŸ€·β€β™‚οΈ There's also other use cases for it. I use APIs from other companies for a variety of things that do not have a ip list or custom ASN So if they do add a new IP, I cannot simply automatically have it on a specific ratelimit on the edge πŸ€·β€β™‚οΈ I still want API Shield to be on Pro & Business 😭
Chaika
Chaikaβ€’16mo ago
I think Discord's use is more the intended design of it
! Julius Cole
! Julius ColeOPβ€’16mo ago
Looks epic as hell
Chaika
Chaikaβ€’16mo ago
They have a few global rate limits, using CF, and application specific ones based on tokens It may be worth keeping in mind as well the rate limits are all only stored per colo
! Julius Cole
! Julius ColeOPβ€’16mo ago
For a non-user facing API, is there any way to tell if the request is from visiting it or from the website itself with WAF or even API Shield? Headers are easily spoofable so that wouldn't be so reliable.
Chaika
Chaikaβ€’16mo ago
If they're accessing it from the website itself, then it is user facing
! Julius Cole
! Julius ColeOPβ€’16mo ago
Well then for user-facing Would it be possible
Chaika
Chaikaβ€’16mo ago
There's a field in WAF, from API Shield called Javascript Detections https://developers.cloudflare.com/bots/reference/javascript-detections/ You can tell if someone has passed JS Detections, it's meant for this specific purpose
JavaScript detections Β· Cloudflare bot solutions docs
JavaScript detections are another method that help Cloudflare identify bot requests.
Chaika
Chaikaβ€’16mo ago
When adding this field to Firewall rules, use it: On endpoints expecting browser traffic (avoiding native mobile applications or websocket endpoints). After a user’s first request to your application (Cloudflare needs at least one HTML request before injecting JavaScript detection). With the Managed Challenge action, because there are legitimate reasons a user might not have passed a JavaScript detection challenge (network issues, ad blockers, disabled JavaScript in browser, native mobile apps).
! Julius Cole
! Julius ColeOPβ€’16mo ago
I beg Cloudflare to make API Shield in Pro during Birthday Week, 😭
Chaika
Chaikaβ€’16mo ago
actually that's from Enterprise Bot Management which is a requirement for API Shield afaik
! Julius Cole
! Julius ColeOPβ€’16mo ago
pain Real question is when they will actually make SSL-Only Origin Pull for non-enterprise customers like they promised last years birthday week
Chaika
Chaikaβ€’16mo ago
there's a weird tangled web of requirements for some of these enterprise features, that I do not fully understand lol hopefully eventually
! Julius Cole
! Julius ColeOPβ€’16mo ago
That's annoying, API Shield is an amazing product that definitely IS NEEDED in this day and age for any business, small or large.
Chaika
Chaikaβ€’16mo ago
for now enabling Always Use HTTPS and full (strict) is the same thing, no http requests would ever hit your origin
! Julius Cole
! Julius ColeOPβ€’16mo ago
Could also enable HSTS along w/ that
Chaika
Chaikaβ€’16mo ago
Browsers might respect that and instantly redirect but headless clients likely wouldn't The only advantage of SSL-only origin pull is that even HTTP Requests get sent to your origin over HTTPS (where Full strict would send http to origin if an http request goes through to Cloudflare) Always use HTTPS always redirects all requests to HTTPS first, not doing an origin request, thus your origin never gets an plain http request almost forgot, Cloudflare does have a product for this as well: https://developers.cloudflare.com/ddos-protection/managed-rulesets/adaptive-protection/ Adaptive DDoS Protection, based on country/region, Origin Errors or User Agents: https://blog.cloudflare.com/adaptive-ddos-protection/ It's Enterprise only, sadly, but they are aware it's something people want/to defend against
! Julius Cole
! Julius ColeOPβ€’16mo ago
I'll be honest, I'd rather have API Shield than even Adaptive Protection πŸ˜† I should be able to handle any leakage from HTTP DDos Protection as well as Firewall Rules, but if I had API Shield then I'd be pretty much immune to attacks so long as the product works as intended. Currently I see upwards to 15-35% leakage from HTTP DDos Protection from an actual attack, not some github script kid
macwilko
macwilkoβ€’15mo ago
how do I implement such a thing with Cloudflare?
Ricky U
Ricky Uβ€’14mo ago
Are any API Sheild services available for PRO customers? A lot of name changes has occurred so not sure how accurete this document is, would be nice if it were updated, or state that it is only for Enterprise customers, leaving solo developers crying in the dark. https://blog.cloudflare.com/api-gateway/
The Cloudflare Blog
Announcing the Cloudflare API Gateway
Today we’re announcing the Cloudflare API Gateway. We’re going to completely replace your existing gateway at a fraction of the cost
Chaika
Chaikaβ€’14mo ago
The only thing non-ent has from the products talked about in that blog is mTLS
Ricky U
Ricky Uβ€’14mo ago
Whats the alternate solution - Built out the API routes in workers - Add _middleware.js to protect checking jwt tokens
Want results from more Discord servers?
Add your server