Skip to content

[API Shield] Sequence rules lookback window matching mechanism #21303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 2, 2025
Merged

[API Shield] Sequence rules lookback window matching mechanism #21303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2f1e742
sequence rules lookback matching
patriciasantaana Apr 1, 2025
7a2988a
remove prereq
patriciasantaana Apr 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/content/docs/api-shield/security/sequence-mitigation/index.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ You can create Sequence Mitigation rules for a sequence even if the sequence is

You can create a sequence rule to enforce behavior on your API over time in two different ways. Sequence rules can either protect an endpoint from users performing a known specific sequence of API calls (otherwise known as a negative security model) or from users making API requests outside of your expectations (otherwise known as a positive security model).

Sequence rules built via the Cloudflare dashboard using API Shield rules utilize a lookback window to match endpoints in the sequence. The rule will match as long as both endpoints are found within [10 requests](/api-shield/security/sequence-mitigation/#request-limitations) (to endpoints within Endpoint Management) of each other and made within [10 minutes](/api-shield/security/sequence-mitigation/#time-limitations) of each other.

If you want to add multiple endpoints, ignore the lookback window, and configure time-based constraints, refer to [Sequence Mitigation custom rules](/api-shield/security/sequence-mitigation/custom-rules/).

In the bank funds transfer example, enforcing that a user requests `GET /api/v1/accounts/{account_id}/balance` before `POST /api/v1/transferFunds` is considered a positive security model, since a user may only perform a funds transfer after listing an account balance.

A negative security model may be useful if you see abusive behavior that is outside the norm of your application and you need to stop the requests while researching the correct positive security model to implement.
Expand Down
1 change: 0 additions & 1 deletion src/content/docs/bots/concepts/sequence-rules.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ Sequence rules is currently in private beta. If you would like to be included in
## Prerequisites

- Your account must have the Fraud Detection subscription.
- Each zone must have an API Shield subscription as it relies on [Endpoint Management](/api-shield/management-and-monitoring/).
- Each zone must configure the endpoints to track via Endpoint Management.

---
Expand Down