cloudflare · patriciasantaana · Feb 21, 2025 · Feb 20, 2025 · Feb 20, 2025 · Feb 20, 2025
@@ -46,7 +46,15 @@ You can filter your endpoints based on the labels.
 
 `cf-risk-mixed-auth`: Automatically added when some successful requests contain a session identifier and some successful requests lack a session identifier. Refer to the table below for more information.
 
-`cf-risk-sensitive`: Cloudflare will automatically add this label to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset.
+`cf-risk-sensitive`: Automatically added to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset.
+
+`cf-risk-missing-schema`: Automatically added when a learned schema is available for an endpoint that has no active schema.
+
+`cf-risk-error-anomaly`: Automatically added when an endpoint experiences a recent increase in response errors over the last 24 hours. 
+
+`cf-risk-latency-anomaly`: Automatically added when an endpoint experiences a recent increase in response latency over the last 24 hours. 
+
+`cf-risk-size-anomaly`: Automatically added when an endpoint experiences a spike in response body size over the last 24 hours. 
 
 :::note
 Cloudflare will only add authentication labels to endpoints with successful response codes. Refer to the below table for more details.

@@ -28,6 +28,9 @@ Listed below are the specific insights currently available:
 | [Domains without HSTS](/ssl/edge-certificates/additional-options/http-strict-transport-security/)                                   | HTTP Strict Transport Security (`HSTS`), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. |
 | [Exposed RDP Servers](/cloudflare-one/connections/connect-networks/use-cases/rdp/)                                                  | We detect an RDP server that is exposed to the public Internet.                                                                                                                                                                                        |
 | [Get notified of malicious client-side scripts](/page-shield/detection/configure-alerts/)                                           | We detect that Page Shield alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment.                                                                         |
+| [Increased body response size detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/)                    | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. |
+| [Increased errors detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/)                                | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. |
+| [Increased latency detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/)                               | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. |
 | [Managed Rules not deployed](/waf/managed-rules/reference/cloudflare-managed-ruleset/)                                              | No managed rules deployed on a WAF protected domain.                                                                                                                                                                                                   |
 | [Migrate to new Managed Rules](/waf/reference/migration-guides/waf-managed-rules-migration/)                                        | Migration to new Managed Rules system required for optimal protection.                                                                                                                                                                                 |
 | [Mixed-authentication API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels)                | Not all of the successful requests against API endpoints carried session identifiers.                                                                                                                                                                  |
@@ -36,6 +39,7 @@ Listed below are the specific insights currently available:
 | [Overprovisioned Access Policies](/cloudflare-one/policies/access/)                                                                 | We detect an Access policy to allow everyone access to your application.                                                                                                                                                                               |
 | [Page Shield not enabled](/page-shield/get-started/)                                                                                | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3.                                                                                                                                                                            |
 | [SPF Record Errors](/dns/manage-dns-records/reference/dns-record-types/#spf)                                                        | We detect an incorrect or missing `SPF` record.                                                                                                                                                                                                        |
+| [Schema Validation missing from eligible API endpoints](/api-shield/security/schema-validation/)                                    | Apply the learned schema to protect your API against fuzzing attacks. |
 | [Sensitive data in API response](/api-shield/management-and-monitoring/#sensitive-data-detection)                                   | Sensitive data in API responses detected.                                                                                                                                                                                                              |
 | [Turn on JavaScript Detection](/bots/reference/javascript-detections/)                                                              | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite.                                                                                                      |
 | [Unassigned Access seats](/cloudflare-one/)                                                                                         | We detect a Zero Trust subscription that is not configured yet.                                                                                                                                                                                        |

@@ -5,6 +5,11 @@ productLink: "/api-shield/"
 productArea: Application security
 productAreaLink: /fundamentals/reference/changelog/security/
 entries:
+  - publish_date: "2025-02-17"
+    title: New automatically applied risk labels
+    description: |-
+      API Shield now automatically labels endpoints with risks due to missing schemas and performance anomalies (spikes in error rates, latency, and body response sizes).
+
   - publish_date: "2025-01-16"
     title: API Authentication Posture
     description: |-