diff --git a/src/content/changelog/audit-logs/2025-03-27-automatic-audit-logs-beta-release.mdx b/src/content/changelog/audit-logs/2025-03-27-automatic-audit-logs-beta-release.mdx index 973a1c1c3290625..0ce7ae86283dc71 100644 --- a/src/content/changelog/audit-logs/2025-03-27-automatic-audit-logs-beta-release.mdx +++ b/src/content/changelog/audit-logs/2025-03-27-automatic-audit-logs-beta-release.mdx @@ -3,7 +3,7 @@ title: Audit logs (version 2) - Beta Release description: New version of audit logs date: 2025-03-27T11:00:00Z --- -The latest version of audit logs streamlines audit logging by automatically capturing all user and system actions performed through the Cloudflare Dashboard or public APIs. This update leverages Cloudflare’s existing API Gateway to generate audit logs based on OpenAPI schemas, ensuring a more consistent and automated logging process. +The latest version of audit logs streamlines audit logging by automatically capturing all user and system actions performed through the Cloudflare Dashboard or public APIs. This update leverages Cloudflare’s existing API Shield to generate audit logs based on OpenAPI schemas, ensuring a more consistent and automated logging process. Availability: Audit logs (version 2) is now in Beta, with support limited to **API access**. diff --git a/src/content/docs/api-shield/index.mdx b/src/content/docs/api-shield/index.mdx index 579d37e4c5667e5..abd1d915104ca22 100644 --- a/src/content/docs/api-shield/index.mdx +++ b/src/content/docs/api-shield/index.mdx @@ -32,8 +32,8 @@ Refer to the [Get started](/api-shield/get-started/) guide to set up API Shield. Secure your APIs using API Shield's security features. - -A package of features that will do everything for your APIs. + +Monitor the health of your API endpoints. ## Availability diff --git a/src/content/docs/api-shield/plans.mdx b/src/content/docs/api-shield/plans.mdx index 997744000fbbbab..2d93288f2bdf8ea 100644 --- a/src/content/docs/api-shield/plans.mdx +++ b/src/content/docs/api-shield/plans.mdx @@ -7,9 +7,9 @@ sidebar: --- -Free, Pro, Business, and Enterprise customers without an API Gateway subscription can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/), but no other [API Gateway](/api-shield/api-gateway/) features. +Free, Pro, Business, and Enterprise customers without an API Shield subscription can access [Endpoint Management](/api-shield/management-and-monitoring/) and [Schema validation](/api-shield/security/schema-validation/), but no other [API Shield](/api-shield/) features. -To subscribe to API Gateway, upgrade to an Enterprise plan and contact your account team. +To subscribe to API Shield, upgrade to an Enterprise plan and contact your account team. Limits to endpoints apply to Endpoint Management and Schema validation. Refer to the table below for limits based on your zone plan. @@ -18,5 +18,5 @@ Limits to endpoints apply to Endpoint Management and Schema validation. Refer to | **Free** | 100 | 5 | 200 kB | `Block` only | | **Pro** | 250 | 5 | 500 kB | `Block` only | | **Business** | 500 | 10 | 2 MB | `Block` only | -| **Enterprise without API Gateway** | 500 | 5 | 5 MB | `Log` or `Block` | -| **Enterprise with API Gateway** | 10,000 | 10+ | 10+ MB | `Log` or `Block` | \ No newline at end of file +| **Enterprise without API Shield** | 500 | 5 | 5 MB | `Log` or `Block` | +| **Enterprise with API Shield** | 10,000 | 10+ | 10+ MB | `Log` or `Block` | \ No newline at end of file diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx index 2f4ee5ffcf5a5a6..4485145e343458e 100644 --- a/src/content/docs/api-shield/security/schema-validation/index.mdx +++ b/src/content/docs/api-shield/security/schema-validation/index.mdx @@ -185,9 +185,9 @@ Schema validation supports [OpenAPI Version 3.0.x schemas](https://spec.openapis Currently, API Shield does not support some features of API schemas, including the following: all responses, external references, non-basic path templating, or unique items. -There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Gateway](/api-shield/api-gateway/). To raise this limit, contact your account team. +There is a limit of 10,000 total operations for enabled schemas for Enterprise customers subscribed to [API Shield](/api-shield/). To raise this limit, contact your account team. -For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Gateway, refer to [Plans](/api-shield/plans/). +For limits on Free, Pro, Business, or Enterprise customers not subscribed to API Shield, refer to [Plans](/api-shield/plans/). ### Required fields diff --git a/src/content/docs/data-localization/metadata-boundary/graphql-datasets.mdx b/src/content/docs/data-localization/metadata-boundary/graphql-datasets.mdx index b964d7f4f026467..fab4aceceabc77c 100644 --- a/src/content/docs/data-localization/metadata-boundary/graphql-datasets.mdx +++ b/src/content/docs/data-localization/metadata-boundary/graphql-datasets.mdx @@ -25,7 +25,7 @@ The table below shows a non-exhaustive list of GraphQL Analytics API fields that | Zaraz | | US and EU
`zarazActionsAdaptiveGroups`
`zarazTrackAdaptiveGroups`
`zarazTriggersAdaptiveGroups` | | | Application Security | Advanced Certificate Manager | US and EU
Only the fields `clientSSLProtocol` and `ja3Hash` part of `httpRequestsAdaptive` and `httpRequestsAdaptiveGroups` | | | Advanced DDoS Protection | | US and EU
[`dosdAttackAnalyticsGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/)
[`dosdNetworkAnalyticsAdaptiveGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/)
[`flowtrackdNetworkAnalyticsAdaptiveGroups`](/analytics/graphql-api/migration-guides/network-analytics-v2/node-reference/)
`advancedTcpProtectionNetworkAnalyticsAdaptiveGroups`
`advancedDnsProtectionNetworkAnalyticsAdaptiveGroups` | - | API Shield / API Gateway | | US and EU
[`apiGatewayGraphqlQueryAnalyticsGroups`](/api-shield/security/graphql-protection/configure/#gather-graphql-statistics)
`apiGatewayMatchedSessionIDsAdaptiveGroups`
US only
`apiRequestSequencesGroups` | + | API Shield | | US and EU
[`apiGatewayGraphqlQueryAnalyticsGroups`](/api-shield/security/graphql-protection/configure/#gather-graphql-statistics)
`apiGatewayMatchedSessionIDsAdaptiveGroups`
US only
`apiRequestSequencesGroups` | | Bot Management | | US and EU
`httpRequestsAdaptive`
[`httpRequestsAdaptiveGroups`](/analytics/graphql-api/migration-guides/graphql-api-analytics/)
[`firewallEventsAdaptive`](/analytics/graphql-api/tutorials/querying-firewall-events/)
[`firewallEventsAdaptiveGroups`](https://blog.cloudflare.com/how-we-used-our-new-graphql-api-to-build-firewall-analytics/) | | | DNS Firewall | Same as DNS | | DMARC Management | | US and EU
`dmarcReportsAdaptive`
`dmarcReportsSourcesAdaptiveGroups` | | diff --git a/src/content/docs/reference-architecture/architectures/multi-vendor.mdx b/src/content/docs/reference-architecture/architectures/multi-vendor.mdx index 94dac0e94838706..c62bb24841afd82 100644 --- a/src/content/docs/reference-architecture/architectures/multi-vendor.mdx +++ b/src/content/docs/reference-architecture/architectures/multi-vendor.mdx @@ -43,7 +43,7 @@ Cloud-based security and performance providers like Cloudflare work as a reverse Normal traffic flow without a reverse proxy would involve a client sending a DNS lookup request, receiving the origin IP address, and communicating directly to the origin server(s). This is visualized in Figure 1. -When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Gateway](https://www.cloudflare.com/products/api-gateway/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2. +When a reverse proxy is introduced, the client still sends a DNS lookup request to its resolver, which is the first stop in the DNS lookup. In this case, the DNS resolver returns a vendor’s reverse proxy IP address to the client and the client then makes a request to the vendor’s reverse proxy. The cloud-based proxy solution can now provide additional security, performance, and reliability services like [CDN](https://www.cloudflare.com/cdn/), [WAF](https://www.cloudflare.com/waf/), [DDoS](https://www.cloudflare.com/ddos/), [API Shield](https://www.cloudflare.com/products/api-shield/), [Bot Management](https://www.cloudflare.com/products/bot-management/) capabilities, etc, before deciding, based on security policy, whether to route the client request to the respective origin server(s). This is visualized in Figure 2. ![Figure 2: Client request routed through reverse proxy for additional security and performance services](~/assets/images/reference-architecture/multi-vendor-architecture-images/Figure_2.png "Figure 2") diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index 37baf2e36755cc2..d0aead6a197a7a7 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -137,7 +137,7 @@ The reason the Cloudflare network exists is to provide services to customers to 2. [Web Application Firewall (WAF)](#web-application-firewall-waf) 3. [Rate limiting](#rate-limiting) 4. [L7 DDoS](#l7-ddos) - 5. [API Gateway](#api-gateway) + 5. [API Shield](#api-shield) 6. [Bot Management](#bot-management) 7. [Page Shield](#page-shield) 8. [SSL/TLS](#ssltls) @@ -194,7 +194,7 @@ Cloudflare security products that can be used for L3 and L4 security include Clo - Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events. -Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Gateway](/api-shield/api-gateway/), [Bot Management](/bots/), and [Page Shield](/page-shield/). +Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Shield](/api-shield/), [Bot Management](/bots/), and [Page Shield](/page-shield/). Note that SaaS applications could be considered both public and private. For example, Salesforce has direct Internet-facing access but contains very private information and is usually only accessible by employee accounts that are provisioned by IT. For the purpose of this document, we will consider SaaS applications as private resources. @@ -256,7 +256,7 @@ Products: [WAF - Cloudflare Managed Rules](/waf/managed-rules/) Unauthorized access can result from broken authentication or broken access control due to vulnerabilities in authentication, weak passwords, or easily bypassed authorization. Cloudflare mTLS (mutual TLS) and JWT (JSON Web Tokens) validation can be used to bolster authentication. Clients or API requests that don’t have a valid certificate or JWT can be denied access via security policy. Customers can create and manage mTLS certificates from the Cloudflare dashboard or an API. Cloudflare’s WAF and [Exposed Credentials Check](/waf/managed-rules/check-for-exposed-credentials/) managed ruleset can be used to detect compromised credentials being used in authentication requests. WAF policies can also be used to restrict access to applications/paths based on different request criteria. -Products: [SSL/TLS - mTLS](/ssl/client-certificates/enable-mtls/), [API Gateway (JWT Validation)](/api-shield/security/jwt-validation/), [WAF](/waf/) +Products: [SSL/TLS - mTLS](/ssl/client-certificates/enable-mtls/), [API Shield (JWT Validation)](/api-shield/security/jwt-validation/), [WAF](/waf/) ##### Client-side attacks @@ -279,7 +279,7 @@ Products: [Page Shield](/page-shield/) ##### Data exfiltration -Data exfiltration is the process of acquiring sensitive data through malicious tactics or through misconfigured services. Cloudflare Sensitive Data Detection addresses common data loss threats. Within the WAF, these rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Specific patterns of sensitive data are matched upon and logged. Sensitive data detection is also integrated with API Gateway so customers are alerted on any API responses returning sensitive data matches. +Data exfiltration is the process of acquiring sensitive data through malicious tactics or through misconfigured services. Cloudflare Sensitive Data Detection addresses common data loss threats. Within the WAF, these rules monitor the download of specific sensitive data — for example, financial and personally identifiable information. Specific patterns of sensitive data are matched upon and logged. Sensitive data detection is also integrated with API Shield so customers are alerted on any API responses returning sensitive data matches. Products: [WAF - Sensitive Data Detection](/waf/managed-rules/) @@ -315,9 +315,9 @@ Products: [Bot management](/bots/), [WAF](/waf/) [Fuzzing](https://owasp.org/www-community/Fuzzing) is an automated testing method used by malicious actors that uses various combinations of data and patterns to inject invalid, malformed, or unexpected inputs into a system. The malicious user hopes to find defects and vulnerabilities that can then be exploited. Cloudflare WAF leverages machine learning to detect fuzzing based attempts to bypass security policies. The WAF attack score complements managed rules and highlights the likeliness of an attack. -Bot Management can detect potentially malicious bots by automating vulnerability scanning. With API Gateway, customers can employ schema validation and sequence mitigation to prevent the automated scanning and fuzzing techniques with APIs. +Bot Management can detect potentially malicious bots by automating vulnerability scanning. With API Shield, customers can employ schema validation and sequence mitigation to prevent the automated scanning and fuzzing techniques with APIs. -Products: [WAF](/waf/), [Bot Management](/bots/), [API Gateway](/api-shield/api-gateway/) +Products: [WAF](/waf/), [Bot Management](/bots/), [API Shield](/api-shield/) ##### Cross-Site Scripting (XSS) attacks @@ -390,9 +390,9 @@ Customers can also configure which request criteria is used as a counter for det The Cloudflare [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) managed ruleset is a set of pre-configured rules used to match known DDoS attack vectors at layer 7 (application layer) on the Cloudflare global network. The rules match known attack patterns and tools, suspicious patterns, protocol violations, requests causing large amounts of origin errors, excessive traffic hitting the origin/cache, and additional attack vectors at the application layer. Cloudflare updates the list of rules in the managed ruleset on a regular basis. -##### API Gateway +##### API Shield -[API Gateway](/api-shield/api-gateway/) is Cloudflare’s API management and security product. API Gateway delivers visibility via API discovery and analytics, provides endpoint management, implements a positive security model, and prevents API abuse. +[API Shield](/api-shield/) is Cloudflare’s API management and security product. API Shield delivers visibility via API discovery and analytics, provides endpoint management, implements a positive security model, and prevents API abuse. ![All security detection can be seen from a single dashboard.](~/assets/images/reference-architecture/security/security-ref-arch-10.svg) @@ -400,7 +400,7 @@ API Gateway’s API Discovery is used to learn all API endpoints in a customer Customers can enable a positive security model using mTLS, JWT validation, and schema validation and protect against additional API abuse with rate limiting and volumetric abuse protection as well as sequence mitigation and GraphQL protections. -![The API gateway has many stages, discovery, review, using a positive security model, abuse protection, data protection and endpoint management/monitoring.](~/assets/images/reference-architecture/security/security-ref-arch-11.svg "Common user workflow for API Gateway") +![API Shield has many stages, discovery, review, using a positive security model, abuse protection, data protection and endpoint management/monitoring.](~/assets/images/reference-architecture/security/security-ref-arch-11.svg "Common user workflow for API Shield") ##### Bot Management diff --git a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx index e59709867000b34..f0843ffd7a8192c 100644 --- a/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx +++ b/src/content/docs/reference-architecture/design-guides/secure-application-delivery.mdx @@ -188,7 +188,7 @@ We now have secure application access to the origin(s) via Tunnel and also authe In the current setup, the origin server(s) are securely connected to the Cloudflare network via Cloudflare Tunnel and Cloudflare Access via policies enforcing authentication and other security requirements. -Since Cloudflare is already set up and acting as a reverse proxy for the site, traffic is being directed through Cloudflare, so all Cloudflare services can easily be leveraged including CDN, Security Analytics, WAF, API Gateway, Bot Management, Page Shield for client-side security, etc. +Since Cloudflare is already set up and acting as a reverse proxy for the site, traffic is being directed through Cloudflare, so all Cloudflare services can easily be leveraged including CDN, Security Analytics, WAF, API Shield, Bot Management, Page Shield for client-side security, etc. When a DNS lookup request is made by a client for the respective website, in this case "cftestsite3.com," Cloudflare returns an anycast IP address, so all traffic is directed to the closest data center where all services will be applied before the request is forwarded over Cloudflare Tunnel to the origin server(s). @@ -225,7 +225,7 @@ Customers can use WAF to implement and use custom rules, rate limiting rules, an - Cloudflare OWASP Core Ruleset: block common web application vulnerabilities, some of which are in OWASP top 10 - Cloudflare Leaked Credential Check: checks exposed credential database for popular content management system (CMS) applications -The same methodology applies for all other Cloudflare Application Performance and Security products (API Gateway, Bot Management, etc.): once configured to route traffic through the Cloudflare network, customers can start leveraging the Cloudflare services. Figure 31 displays Cloudflare’s Bot Analytics which categorizes the traffic based on bot score, shows the bot score distribution, and other bot analytics. All of the request data is captured inline and all enforcement based on defined policies is also done inline. +The same methodology applies for all other Cloudflare Application Performance and Security products (API Shield, Bot Management, etc.): once configured to route traffic through the Cloudflare network, customers can start leveraging the Cloudflare services. Figure 31 displays Cloudflare’s Bot Analytics which categorizes the traffic based on bot score, shows the bot score distribution, and other bot analytics. All of the request data is captured inline and all enforcement based on defined policies is also done inline. ![Cloudflare provides analytics and insights into bot traffic including bot score distribution.](~/assets/images/reference-architecture/secure-application-delivery-design-guide/secure-app-dg-fig-31.png "Figure 31 : Cloudflare Bot Management - Bot Analytics.") diff --git a/src/content/docs/reference-architecture/diagrams/iot/optimizing-and-securing-connected-transportation-systems.mdx b/src/content/docs/reference-architecture/diagrams/iot/optimizing-and-securing-connected-transportation-systems.mdx index e3b2b80960520e1..b0c6af1b92b6a36 100644 --- a/src/content/docs/reference-architecture/diagrams/iot/optimizing-and-securing-connected-transportation-systems.mdx +++ b/src/content/docs/reference-architecture/diagrams/iot/optimizing-and-securing-connected-transportation-systems.mdx @@ -47,7 +47,7 @@ Devices connect to Cloudflare's anycast network, which inspects and filters inco 3. **Security services**: - 1. **API Gateway**: Cloudflare's [API Gateway](/api-shield/get-started/) protects critical APIs from unauthorized access and abuse, ensuring secure data exchange between connected systems. + 1. **API Shield**: Cloudflare's [API Shield](/api-shield/get-started/) protects critical APIs from unauthorized access and abuse, ensuring secure data exchange between connected systems. 2. **Web Application Firewall (WAF)**: Cloudflare's [WAF](/waf/) helps block malicious traffic and prevent application or API vulnerabilities from being exploited, safeguarding your network, devices and applications. 3. **DDoS Protection**: Cloudflare's [DDoS protection](/ddos-protection/about/attack-coverage/), covering the network, transport and application layer, prevents volumetric attacks that could compromise the availability of connected systems. By providing multi-layered protection, Cloudflare is able to mitigate a wide variety of DDoS threats. At lower layers, Cloudflare defends against high-volume attacks such as SYN floods, UDP floods, and other types of protocol-based disruptions that can overwhelm network resources. At the application layer, more sophisticated attacks targeting the application itself, such as HTTP floods \- which aim to exhaust server resources and disrupt user-facing services \- are blocked even in the face of [large-scale DDoS attempts](https://blog.cloudflare.com/tag/ddos-reports/). 4. **DNS security**: Cloudflare's [DNS security](https://www.cloudflare.com/en-gb/application-services/products/dns/) helps protect name resolution, ensuring that malicious actors cannot hijack requests. @@ -66,12 +66,12 @@ Devices connect to Cloudflare's anycast network, which inspects and filters inco Connections to these origins can be made using a variety of methods based on the specific requirements of the setup. These range from simple public DNS configurations to more advanced options like [Cloudflare Network Interconnect (CNI)](/network-interconnect/) and [cloudflared tunnels](/cloudflare-one/faq/cloudflare-tunnels-faq/#how-can-origin-servers-be-secured-when-using-tunnel). CNI allows for private, direct connectivity between origin locations and Cloudflare, creating a secure layer that keeps data protected as it moves across networks. The cloudflared tunnel creates encrypted tunnels directly from the origin to Cloudflare's network, bypassing public exposure entirely and enhancing both security and reliability. By being origin agnostic and supporting multiple secure connection options, Cloudflare allows businesses to continue using their existing proprietary systems and infrastructure, while benefiting from Cloudflare's performance, security, and scalability features. -These components work together to deliver an optimized, secure, and reliable solution for connected vehicles and other transportation systems, addressing both fixed-location and roaming device needs. For example, imagine a fleet of connected delivery trucks that use digital tablets for both navigation, tracking and real-time customer interactions. These tablets display delivery updates, allow customers to provide signatures and even enable on-the-spot payments. Cloudflare's network ensures that data to and from the device is updated with minimal latency, allowing drivers to navigate efficiently without delays. Cloudflare's API Gateway helps secure any interactions between the tablet and backend systems, protecting customer information and ensuring that payment data is transmitted securely. The system also benefits from Workers running at the edge, which can process data in real-time, such as verifying customer signatures with AI without having to send everything back to a central server. This seamless integration of Cloudflare's components helps enhance both operational effectiveness and customer satisfaction. +These components work together to deliver an optimized, secure, and reliable solution for connected vehicles and other transportation systems, addressing both fixed-location and roaming device needs. For example, imagine a fleet of connected delivery trucks that use digital tablets for both navigation, tracking and real-time customer interactions. These tablets display delivery updates, allow customers to provide signatures and even enable on-the-spot payments. Cloudflare's network ensures that data to and from the device is updated with minimal latency, allowing drivers to navigate efficiently without delays. Cloudflare's API Shield helps secure any interactions between the tablet and backend systems, protecting customer information and ensuring that payment data is transmitted securely. The system also benefits from Workers running at the edge, which can process data in real-time, such as verifying customer signatures with AI without having to send everything back to a central server. This seamless integration of Cloudflare's components helps enhance both operational effectiveness and customer satisfaction. ## Related resources - [Composable AI Architecture](/reference-architecture/diagrams/ai/ai-composable/) - [Secure Application Delivery](/reference-architecture/design-guides/secure-application-delivery/) - [Preventing DDOS Attacks](/learning-paths/personal-website/concepts/) -- [Video \- Quick API Gateway Demo](https://www.youtube.com/watch?v=zzw2jIGcv5A) +- [Video \- Quick API Shield Demo](https://www.youtube.com/watch?v=zzw2jIGcv5A) - [MTLS at Cloudflare](/learning-paths/mtls/concepts/) diff --git a/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx b/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx index 14251cccba38812..97c9953dd2ab7c4 100644 --- a/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx +++ b/src/content/docs/reference-architecture/diagrams/serverless/serverless-global-apis.mdx @@ -39,7 +39,7 @@ Overall, serverless globally-deployed APIs offer a cost-effective, scalable, and This is an example architecture of a serverless API on Cloudflare and aims to illustrate how different compute and data products could interact with each other. 1. **Client request**: Send request to API endpoint. -2. **API Gateway/Router**: Process incoming request using [Workers](/workers/), check for validity, and perform authentication logic, if needed. Then, forward the (potentially transformed and/or enriched) API call to individual [Workers](/workers) using [Service Bindings](/workers/runtime-apis/bindings/service-bindings/). This allows for a separation of concerns. +2. **API Shield/Router**: Process incoming request using [Workers](/workers/), check for validity, and perform authentication logic, if needed. Then, forward the (potentially transformed and/or enriched) API call to individual [Workers](/workers) using [Service Bindings](/workers/runtime-apis/bindings/service-bindings/). This allows for a separation of concerns. 3. **Read-heavy data**: Read from [KV](/kv/) to serve read-heavy, non-dynamic data. This could include configuration data or product information. Perform writes as needed keeping [limits](/kv/platform/limits/) in mind. 4. **Relational data**: Query [D1](/d1/) to handle relational-data. This could include user data, product data or other data. 5. **External data**: Query external databases using [Hyperdrive](/hyperdrive/). Leverage caching to improve performance where applicable. This can be especially helpful when a data migration is out of scope of the implementation. diff --git a/src/content/docs/ruleset-engine/reference/phases-list.mdx b/src/content/docs/ruleset-engine/reference/phases-list.mdx index 1a7e68954753801..322bb58ff715234 100644 --- a/src/content/docs/ruleset-engine/reference/phases-list.mdx +++ b/src/content/docs/ruleset-engine/reference/phases-list.mdx @@ -37,7 +37,7 @@ The phases execute in the order they appear in the table. | `http_config_settings` | [Configuration Rules](/rules/configuration-rules/) | | `http_request_origin` | [Origin Rules](/rules/origin-rules/) | | `ddos_l7`\* | [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) | -| `http_request_api_gateway` | [API Gateway](/api-shield/api-gateway/) | +| `http_request_api_gateway` | [API Shield](/api-shield/) | | `http_request_firewall_custom` | [Custom rules (Web Application Firewall)](/waf/custom-rules/) | | `http_ratelimit` | [Rate limiting rules (WAF)](/waf/rate-limiting-rules/) | | _N/A_ (internal phase) | [API Shield](/api-shield/) |