Skip to content

Commit 29c62a9

Browse files
patriciasantaanapatriciasantaana
authored
[API Shield] Risk labels (#20146)
* risk labels * changelog * security insights
1 parent dfdf721 commit 29c62a9

File tree

3 files changed

+18
-1
lines changed

3 files changed

+18
-1
lines changed

src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,15 @@ You can filter your endpoints based on the labels.
4646

4747
`cf-risk-mixed-auth`: Automatically added when some successful requests contain a session identifier and some successful requests lack a session identifier. Refer to the table below for more information.
4848

49-
`cf-risk-sensitive`: Cloudflare will automatically add this label to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset.
49+
`cf-risk-sensitive`: Automatically added to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset.
50+
51+
`cf-risk-missing-schema`: Automatically added when a learned schema is available for an endpoint that has no active schema.
52+
53+
`cf-risk-error-anomaly`: Automatically added when an endpoint experiences a recent increase in response errors over the last 24 hours.
54+
55+
`cf-risk-latency-anomaly`: Automatically added when an endpoint experiences a recent increase in response latency over the last 24 hours.
56+
57+
`cf-risk-size-anomaly`: Automatically added when an endpoint experiences a spike in response body size over the last 24 hours.
5058

5159
:::note
5260
Cloudflare will only add authentication labels to endpoints with successful response codes. Refer to the below table for more details.

src/content/docs/security-center/security-insights/index.mdx

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,9 @@ Listed below are the specific insights currently available:
2828
| [Domains without HSTS](/ssl/edge-certificates/additional-options/http-strict-transport-security/) | HTTP Strict Transport Security (`HSTS`), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. |
2929
| [Exposed RDP Servers](/cloudflare-one/connections/connect-networks/use-cases/rdp/) | We detect an RDP server that is exposed to the public Internet. |
3030
| [Get notified of malicious client-side scripts](/page-shield/detection/configure-alerts/) | We detect that Page Shield alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. |
31+
| [Increased body response size detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. |
32+
| [Increased errors detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. |
33+
| [Increased latency detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. |
3134
| [Managed Rules not deployed](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | No managed rules deployed on a WAF protected domain. |
3235
| [Migrate to new Managed Rules](/waf/reference/migration-guides/waf-managed-rules-migration/) | Migration to new Managed Rules system required for optimal protection. |
3336
| [Mixed-authentication API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. |
@@ -36,6 +39,7 @@ Listed below are the specific insights currently available:
3639
| [Overprovisioned Access Policies](/cloudflare-one/policies/access/) | We detect an Access policy to allow everyone access to your application. |
3740
| [Page Shield not enabled](/page-shield/get-started/) | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. |
3841
| [SPF Record Errors](/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing `SPF` record. |
42+
| [Schema Validation missing from eligible API endpoints](/api-shield/security/schema-validation/) | Apply the learned schema to protect your API against fuzzing attacks. |
3943
| [Sensitive data in API response](/api-shield/management-and-monitoring/#sensitive-data-detection) | Sensitive data in API responses detected. |
4044
| [Turn on JavaScript Detection](/bots/reference/javascript-detections/) | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. |
4145
| [Unassigned Access seats](/cloudflare-one/) | We detect a Zero Trust subscription that is not configured yet. |

src/content/release-notes/api-shield.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,11 @@ productLink: "/api-shield/"
55
productArea: Application security
66
productAreaLink: /fundamentals/reference/changelog/security/
77
entries:
8+
- publish_date: "2025-02-17"
9+
title: New automatically applied risk labels
10+
description: |-
11+
API Shield now automatically labels endpoints with risks due to missing schemas and performance anomalies (spikes in error rates, latency, and body response sizes).
12+
813
- publish_date: "2025-01-16"
914
title: API Authentication Posture
1015
description: |-

0 commit comments

Comments
 (0)