Can Cloudflare effectively protect my REST API backend server if it’s exclusively used by mobile app
Specifically, when sending requests from Swift or Android, there’s no context, such as user-agent headers. Additionally, the IP addresses originate from GSM providers, which might make it difficult for Cloudflare to accurately identify traffic. Would setting WAF rules to allow only specific countries still work reliably in this scenario?
2 Replies
WAF custom rule can do.
https://developers.cloudflare.com/waf/custom-rules/use-cases/allow-traffic-from-specific-countries/
Cloudflare Docs
Allow traffic from specific countries only | Cloudflare Web Applica...
This example blocks requests based on country code using the ip.geoip.country field, only allowing requests from two countries: United States and Mexico.
Block by user-agent example at rate limit, but you still can use at custom rule
https://developers.cloudflare.com/waf/rate-limiting-rules/use-cases/#example-3
Cloudflare Docs
Rule examples | Cloudflare Web Application Firewall (WAF) docs
The examples below include sample rate limiting rule configurations.