From 84a06941a8732cd4a7e762677f382023748891ad Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Wed, 30 Apr 2025 11:23:01 -0700 Subject: [PATCH 1/3] json post body formats --- src/content/docs/api-shield/management-and-monitoring/index.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/src/content/docs/api-shield/management-and-monitoring/index.mdx b/src/content/docs/api-shield/management-and-monitoring/index.mdx index d726add9562e4e..83409bad1d26d1 100644 --- a/src/content/docs/api-shield/management-and-monitoring/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/index.mdx @@ -127,6 +127,7 @@ The schema is saved as a JSON file in OpenAPI `v3.0.0` format. - The listed hostname in the servers section - All endpoints by host, method, and path - Detected path variables +- JSON `POST` body formats #### Learned schemas can optionally include: From 936719f5d625b0047bf6bfc4a2736fab0b76e6a5 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 1 May 2025 15:05:01 -0700 Subject: [PATCH 2/3] schema learning --- .../api-routing/index.mdx | 2 +- .../developer-portal.mdx | 2 +- .../endpoint-labels.mdx | 2 +- .../endpoint-management/index.mdx | 138 ++++++++++++++ .../endpoint-management/schema-learning.mdx | 47 +++++ .../management-and-monitoring/index.mdx | 168 +----------------- .../session-identifiers.mdx | 2 +- 7 files changed, 192 insertions(+), 169 deletions(-) create mode 100644 src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx create mode 100644 src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx diff --git a/src/content/docs/api-shield/management-and-monitoring/api-routing/index.mdx b/src/content/docs/api-shield/management-and-monitoring/api-routing/index.mdx index 8774dba7e24cf4..d4dc855aa6e2b9 100644 --- a/src/content/docs/api-shield/management-and-monitoring/api-routing/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/api-routing/index.mdx @@ -3,7 +3,7 @@ pcx_content_type: how-to type: overview title: API Routing sidebar: - order: 3 + order: 4 --- diff --git a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx index a8904526ed0dd0..b96fbf367eeded 100644 --- a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx @@ -3,7 +3,7 @@ pcx_content_type: how-to type: overview title: Build developer portals sidebar: - order: 4 + order: 5 --- diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index 3a617ddc4abc3a..1753701a4093d2 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -3,7 +3,7 @@ pcx_content_type: how-to type: overview title: Endpoint labeling service sidebar: - order: 1 + order: 2 label: Labeling service --- diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx new file mode 100644 index 00000000000000..31ce83feaf120e --- /dev/null +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx @@ -0,0 +1,138 @@ +--- +pcx_content_type: concept +type: overview +title: Endpoint Management +sidebar: + order: 1 + +--- + +import { GlossaryTooltip, Plan } from "~/components" + + + +Monitor the health of your API endpoints by saving, updating, and monitoring performance metrics using API Shield’s Endpoint Management. + +**Add endpoints** allows customers to save endpoints directly from [API Discovery](/api-shield/security/api-discovery/) or manually by method, path, and host. + +This will add the specified endpoints to your list of managed endpoints. You can view your list of saved endpoints in the **Endpoint Management** page. + +Cloudflare will start collecting [performance data](/api-shield/management-and-monitoring/#endpoint-analysis) on your endpoint when you save an endpoint. + +:::note + +When an endpoint is using [Cloudflare Workers](/workers/), the metrics data will not be populated. +::: + +## Access + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. +2. Select **Security** > **API Shield**. +3. Add your endpoints [manually](#add-endpoints-manually), from [Schema validation](#add-endpoints-from-schema-validation), or from [API Discovery](#add-endpoints-from-api-discovery). + +## Add endpoints from API Discovery + +There are two ways to add API endpoints from Discovery. + +### Add from the Endpoint Management Tab + +1. From Endpoint Management, select **Add endpoints** > **Select from Discovery** tab. +2. Select the discovered endpoints you would like to add. +3. Select **Add endpoints**. + +### Add from the Discovery Tab + +1. From Endpoint Management, select the **Discovery** tab. +2. Select the discovered endpoints you would like to add. +3. Select **Save selected endpoints**. + +## Add endpoints from Schema validation + +1. Add a schema by [configuring Schema validation](/api-shield/security/schema-validation/). +2. On **Review schema endpoints**, save new endpoints to endpoint management by checking the box. +3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the Schema is saved as a draft or published. + +API Shield will look for duplicate endpoints that have the same host, method, and path. Duplicate endpoints will not be saved to endpoint management. + +:::note + +If you deselect **Save new endpoints to endpoint management**, the endpoints will not be added. +::: + +## Add endpoints manually + +1. From Endpoint Management, select **Add endpoints** > **Manually add**. +2. Choose the method from the dropdown menu and add the path and hostname for the endpoint. +3. Select **Add endpoints**. + +:::note + +By selecting multiple checkboxes, you can add several endpoints from Discovery at once instead of individually. +::: + +When adding an endpoint manually, you can specify variable fields in the path or host by enclosing them in braces, `/api/user/{var1}/details` or `{hostVar1}.example.com`. + +Cloudflare supports hostname variables in the following formats: + +```txt + +{hostVar1}.example.com + +foo.{hostVar1}.example.com + +{hostVar2}.{hostVar1}.example.com +``` + +Hostname variables must comprise the entire domain field and must not be used with other text in the field. + +The following format is not supported: + +```txt + +foo-{hostVar1}.example.com +``` + +For more information on how Cloudflare uses variables in API Shield, refer to the examples from [API Discovery](/api-shield/security/api-discovery/). + +## Delete endpoints manually + +You can delete endpoints one at a time or in bulk. + +1. From Endpoint Management, select the checkboxes for the endpoints that you want to delete. +2. Select **Delete endpoints**. + +## Endpoint Analysis + +For each saved endpoint, customers can view: + +- **Request count**: The total number of requests to the endpoint over time. +- **Rate limiting recommendation**: per 10 minutes. This is guided by the request count. +- **Latency**: The average origin response time in milliseconds (ms). This metric shows how long it takes from the moment a visitor makes a request to the moment the visitor gets a response back from the origin. +- **Error rate** vs. overall traffic: grouped by 4xx, 5xx, and their sum. +- **Response size**: The average size of the response (in bytes) returned to the request. +- **Labels**: The current [labels](/api-shield/management-and-monitoring/endpoint-labels/) assigned to the endpoint. +- **Authentication status**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint. +- **Sequences**: The number of [Sequence Analytics](/api-shield/security/sequence-analytics/) sequences the endpoint was found in. + +:::note + +Customers viewing analytics have the ability to toggle detailed metrics view between the last 24 hours and 7 days. +::: + +## Using the Cloudflare API + +You can interact with Endpoint Management through the Cloudflare API. Refer to [Endpoint Management’s API documentation](/api/resources/api_gateway/subresources/discovery/subresources/operations/methods/list/) for more information. + +## Sensitive Data Detection + +Sensitive data comprises various personally identifiable information and financial data. Cloudflare created this ruleset to address common data loss threats, and the WAF can search for this data in HTTP response bodies from your origin. + +API Shield will alert users to the presence of sensitive data in the response body of API endpoints listed in Endpoint Management if the zone is also subscribed to the [Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/). + +Sensitive Data Detection is available to Enterprise customers on our Advanced application security plan. + +Once Sensitive Data Detection is enabled for your zone, API Shield queries firewall events from the WAF for the last seven days and places a notification icon on the Endpoint Management table row if there are any matched sensitive responses for your endpoint. + +API Shield displays the types of sensitive data found if you expand the Endpoint Management table row to view further details. Select **Explore Events** to view the matched events in Security Events. + +After Sensitive Data Detection is enabled for your zone, you can [browse the Sensitive Data Detection ruleset](https://dash.cloudflare.com/?to=/:account/:zone/security/data/ruleset/e22d83c647c64a3eae91b71b499d988e/rules). The link will not work if Sensitive Data Detection is not enabled. diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx new file mode 100644 index 00000000000000..0223a160ccd920 --- /dev/null +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx @@ -0,0 +1,47 @@ +--- +pcx_content_type: concept +type: overview +title: Schema learning +sidebar: + order: 2 +--- + +Cloudflare learns schema parameters via traffic inspection. For all endpoints saved to Endpoint Management, you can export the learned schema in OpenAPI `v3.0.0` format by hostname. + +To protect your API with a learned schema, refer to [Schema validation](/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-an-entire-hostname). + +## Export a schema + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. +2. Select **Security** > **API Shield**. +3. Navigate to **Endpoint Management**. +4. Select **Export schema** and choose a hostname to export. +5. Select whether to include [learned parameters](/api-shield/management-and-monitoring/#learned-schemas-will-always-include) and [rate limit recommendations](/api-shield/security/volumetric-abuse-detection/) +6. Select **Export schema** and choose a location to save the file. + +:::note +The schema is saved as a JSON file in OpenAPI `v3.0.0` format. +::: + +Learned schemas will always include: + +- The listed hostname in the servers section +- All endpoints by host, method, and path + +For endpoints that receive sufficient traffic, learned schemas will also include: + +- Detected path variables and formats +- Detected query parameters and formats +- Detected `POST`, `PUT`, and `PATCH` body variable names and formats for `application/json` content types + +Learned schemas can optionally include: + +- API Shield's rate limit threshold recommendations + +## Limitations + +Endpoints must be added for at least 24 hours before Schema Learning begins. Schema Learning is a continuous process that inspects the last 72 hours of traffic to an endpoint. + +Schema Learning only learns from requests with `2xx` response codes. + +Schema Learning works best with high volumes of traffic. You may see less confident learned schemas for endpoints with less than 10,000 requests in the last 72 hours. diff --git a/src/content/docs/api-shield/management-and-monitoring/index.mdx b/src/content/docs/api-shield/management-and-monitoring/index.mdx index 83409bad1d26d1..7ea319409766b8 100644 --- a/src/content/docs/api-shield/management-and-monitoring/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/index.mdx @@ -1,171 +1,9 @@ --- -pcx_content_type: concept -type: overview +pcx_content_type: reference title: Management and Monitoring sidebar: order: 6 - label: Endpoint Management + group: + hideIndex: true --- - -import { GlossaryTooltip, Plan } from "~/components" - - - -Monitor the health of your API endpoints by saving, updating, and monitoring performance metrics using API Shield’s Endpoint Management. - -**Add endpoints** allows customers to save endpoints directly from [API Discovery](/api-shield/security/api-discovery/) or manually by method, path, and host. - -This will add the specified endpoints to your list of managed endpoints. You can view your list of saved endpoints in the **Endpoint Management** page. - -Cloudflare will start collecting [performance data](/api-shield/management-and-monitoring/#endpoint-analysis) on your endpoint when you save an endpoint. - -:::note - -When an endpoint is using [Cloudflare Workers](/workers/), the metrics data will not be populated. -::: - -## Access - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain. -2. Select **Security** > **API Shield**. -3. Add your endpoints [manually](#add-endpoints-manually), from [Schema validation](#add-endpoints-from-schema-validation), or from [API Discovery](#add-endpoints-from-api-discovery). - -## Add endpoints from API Discovery - -There are two ways to add API endpoints from Discovery. - -### Add from the Endpoint Management Tab - -1. From Endpoint Management, select **Add endpoints** > **Select from Discovery** tab. -2. Select the discovered endpoints you would like to add. -3. Select **Add endpoints**. - -### Add from the Discovery Tab - -1. From Endpoint Management, select the **Discovery** tab. -2. Select the discovered endpoints you would like to add. -3. Select **Save selected endpoints**. - -## Add endpoints from Schema validation - -1. Add a schema by [configuring Schema validation](/api-shield/security/schema-validation/). -2. On **Review schema endpoints**, save new endpoints to endpoint management by checking the box. -3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the Schema is saved as a draft or published. - -API Shield will look for duplicate endpoints that have the same host, method, and path. Duplicate endpoints will not be saved to endpoint management. - -:::note - -If you deselect **Save new endpoints to endpoint management**, the endpoints will not be added. -::: - -## Add endpoints manually - -1. From Endpoint Management, select **Add endpoints** > **Manually add**. -2. Choose the method from the dropdown menu and add the path and hostname for the endpoint. -3. Select **Add endpoints**. - -:::note - -By selecting multiple checkboxes, you can add several endpoints from Discovery at once instead of individually. -::: - -When adding an endpoint manually, you can specify variable fields in the path or host by enclosing them in braces, `/api/user/{var1}/details` or `{hostVar1}.example.com`. - -Cloudflare supports hostname variables in the following formats: - -```txt - -{hostVar1}.example.com - -foo.{hostVar1}.example.com - -{hostVar2}.{hostVar1}.example.com -``` - -Hostname variables must comprise the entire domain field and must not be used with other text in the field. - -The following format is not supported: - -```txt - -foo-{hostVar1}.example.com -``` - -For more information on how Cloudflare uses variables in API Shield, refer to the examples from [API Discovery](/api-shield/security/api-discovery/). - -## Delete endpoints manually - -You can delete endpoints one at a time or in bulk. - -1. From Endpoint Management, select the checkboxes for the endpoints that you want to delete. -2. Select **Delete endpoints**. - -## Endpoint schema learning - -Cloudflare learns schema parameters via traffic inspection. For all endpoints saved to Endpoint Management, you can export OpenAPI schemas in `v3.0.0` format by hostname. You can also include learned schema parameters. - -To protect your API with a learned schema, refer to [Schema validation](/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-an-entire-hostname). - -### Export a schema - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain. -2. Select **Security** > **API Shield**. -3. Navigate to **Endpoint Management**. -4. Select **Export schema** and choose a hostname to export. -5. Select whether to include [learned parameters](/api-shield/management-and-monitoring/#learned-schemas-will-always-include) and [rate limit recommendations](/api-shield/security/volumetric-abuse-detection/) -6. Select **Export schema** and choose a location to save the file. - -:::note - -The schema is saved as a JSON file in OpenAPI `v3.0.0` format. -::: - -#### Learned schemas will always include: - -- The listed hostname in the servers section -- All endpoints by host, method, and path -- Detected path variables -- JSON `POST` body formats - -#### Learned schemas can optionally include: - -- Detected query parameters and its format -- API Shield’s rate limit threshold recommendations - -## Endpoint Analysis - -For each saved endpoint, customers can view: - -- **Request count**: The total number of requests to the endpoint over time. -- **Rate limiting recommendation**: per 10 minutes. This is guided by the request count. -- **Latency**: The average origin response time in milliseconds (ms). This metric shows how long it takes from the moment a visitor makes a request to the moment the visitor gets a response back from the origin. -- **Error rate** vs. overall traffic: grouped by 4xx, 5xx, and their sum. -- **Response size**: The average size of the response (in bytes) returned to the request. -- **Labels**: The current [labels](/api-shield/management-and-monitoring/endpoint-labels/) assigned to the endpoint. -- **Authentication status**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint. -- **Sequences**: The number of [Sequence Analytics](/api-shield/security/sequence-analytics/) sequences the endpoint was found in. - -:::note - -Customers viewing analytics have the ability to toggle detailed metrics view between the last 24 hours and 7 days. -::: - -## Using the Cloudflare API - -You can interact with Endpoint Management through the Cloudflare API. Refer to [Endpoint Management’s API documentation](/api/resources/api_gateway/subresources/discovery/subresources/operations/methods/list/) for more information. - -## Sensitive Data Detection - -Sensitive data comprises various personally identifiable information and financial data. Cloudflare created this ruleset to address common data loss threats, and the WAF can search for this data in HTTP response bodies from your origin. - -API Shield will alert users to the presence of sensitive data in the response body of API endpoints listed in Endpoint Management if the zone is also subscribed to the [Sensitive Data Detection managed ruleset](/waf/managed-rules/reference/sensitive-data-detection/). - -Sensitive Data Detection is available to Enterprise customers on our Advanced application security plan. - -Once Sensitive Data Detection is enabled for your zone, API Shield queries firewall events from the WAF for the last seven days and places a notification icon on the Endpoint Management table row if there are any matched sensitive responses for your endpoint. - -API Shield displays the types of sensitive data found if you expand the Endpoint Management table row to view further details. Select **Explore Events** to view the matched events in Security Events. - -After Sensitive Data Detection is enabled for your zone, you can [browse the Sensitive Data Detection ruleset](https://dash.cloudflare.com/?to=/:account/:zone/security/data/ruleset/e22d83c647c64a3eae91b71b499d988e/rules). The link will not work if Sensitive Data Detection is not enabled. diff --git a/src/content/docs/api-shield/management-and-monitoring/session-identifiers.mdx b/src/content/docs/api-shield/management-and-monitoring/session-identifiers.mdx index 75ff27c197d23d..f6ea8a528b15c1 100644 --- a/src/content/docs/api-shield/management-and-monitoring/session-identifiers.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/session-identifiers.mdx @@ -3,7 +3,7 @@ pcx_content_type: how-to type: overview title: Session identifiers sidebar: - order: 2 + order: 3 --- From 8ed70e5707ecc05d28a48dd260920ab936ca2359 Mon Sep 17 00:00:00 2001 From: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> Date: Thu, 1 May 2025 15:36:55 -0700 Subject: [PATCH 3/3] Update src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx --- .../endpoint-management/schema-learning.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx index 0223a160ccd920..d0fd4dc120bba1 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx @@ -40,8 +40,8 @@ Learned schemas can optionally include: ## Limitations -Endpoints must be added for at least 24 hours before Schema Learning begins. Schema Learning is a continuous process that inspects the last 72 hours of traffic to an endpoint. +Endpoints must be added for at least 24 hours before schema learning begins. Schema learning is a continuous process that inspects the last 72 hours of traffic to an endpoint. -Schema Learning only learns from requests with `2xx` response codes. +Schema learning only learns from requests with `2xx` response codes. -Schema Learning works best with high volumes of traffic. You may see less confident learned schemas for endpoints with less than 10,000 requests in the last 72 hours. +Schema learning works best with high volumes of traffic. You may see less confident learned schemas for endpoints with less than 10,000 requests in the last 72 hours.