From e7979db5c46d0c8ab94731e43b0126eaabcff173 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 11:29:36 -0700 Subject: [PATCH 01/12] session identifiers --- .../required-session-identifiers.mdx | 2 +- .../api-shield/set-up-session-identifiers.mdx | 49 +++++++++++++------ 2 files changed, 36 insertions(+), 15 deletions(-) diff --git a/src/content/partials/api-shield/required-session-identifiers.mdx b/src/content/partials/api-shield/required-session-identifiers.mdx index eb9c4c322a73772..a1f6276e094c00c 100644 --- a/src/content/partials/api-shield/required-session-identifiers.mdx +++ b/src/content/partials/api-shield/required-session-identifiers.mdx @@ -3,4 +3,4 @@ --- -Session identifiers are necessary to configure [Sequence Mitigation](/api-shield/security/sequence-mitigation/) or [rate limiting recommendations](/api-shield/security/volumetric-abuse-detection/), and to see results in [Sequence Analytics](/api-shield/security/sequence-analytics/) and [Authentication Posture](/api-shield/security/authentication-posture/). +You must have specific entitlements to configure session identifiers or cookies as a form of identifiers, such as an Enterprise subscription, for features such as [API Discovery](/api-shield/security/api-discovery/), [Sequence Mitigation](/api-shield/security/sequence-mitigation/) or [rate limiting recommendations](/api-shield/security/volumetric-abuse-detection/), and to see results in [Sequence Analytics](/api-shield/security/sequence-analytics/) and [Authentication Posture](/api-shield/security/authentication-posture/). diff --git a/src/content/partials/api-shield/set-up-session-identifiers.mdx b/src/content/partials/api-shield/set-up-session-identifiers.mdx index 30e2fba4e1e71b4..9c3be16b5e9e2df 100644 --- a/src/content/partials/api-shield/set-up-session-identifiers.mdx +++ b/src/content/partials/api-shield/set-up-session-identifiers.mdx @@ -2,21 +2,42 @@ {} --- -import { Steps } from "~/components" +import { Steps, Tabs, TabItem } from "~/components" - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. Select **Settings**. -4. On **Endpoint settings**, select **Manage identifiers**. -5. Choose the type of session identifier (cookie, HTTP header, or JWT claim). - :::note - The session identifier cookie must comply with RFC 6265. Otherwise, it will be rejected. + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **API Shield**. + 3. Select **Settings**. + 4. On **Endpoint settings**, select **Manage identifiers**. + 5. Choose the type of session identifier (cookie, HTTP header, or JWT claim). + :::note + The session identifier cookie must comply with RFC 6265. Otherwise, it will be rejected. - If you are using a JWT claim, choose the [Token Configuration](/api-shield/security/jwt-validation/api/#token-configurations) that will verify the JWT. Token Configurations are required to use JWT claims as session identifiers. Refer to [JWT Validation](/api-shield/security/jwt-validation/) for more information. - ::: -6. Enter the name of the session identifier. -7. Select **Save**. - + If you are using a JWT claim, choose the [Token Configuration](/api-shield/security/jwt-validation/api/#token-configurations) that will verify the JWT. Token Configurations are required to use JWT claims as session identifiers. Refer to [JWT Validation](/api-shield/security/jwt-validation/) for more information. + ::: + 6. Enter the name of the session identifier. + 7. Select **Save**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings** + 3. Filter by **API abuse**. + 4. On **Session identifiers**, select **Configure session identifiers**. + 5. Select **Manage identifiers**. + 6. Choose the type of session identifier (cookie, HTTP header, or JWT claim). + :::note + The session identifier cookie must comply with RFC 6265. Otherwise, it will be rejected. + + If you are using a JWT claim, choose the [Token Configuration](/api-shield/security/jwt-validation/api/#token-configurations) that will verify the JWT. Token Configurations are required to use JWT claims as session identifiers. Refer to [JWT Validation](/api-shield/security/jwt-validation/) for more information. + ::: + 7. Enter the name of the session identifier. + 8. Select **Save**. + + + After setting up session identifiers and allowing some time for Cloudflare to learn your traffic patterns, you can view your per endpoint and per session rate limiting recommendations, as well as enforce per endpoint and per session rate limits by creating new rules. Session identifiers will allow you to view API Discovery results from session ID-based discovery and session traffic patterns in Sequence Analytics. From f55848b44d86ebbe08818df83cc53f05b2e9ad72 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 11:53:06 -0700 Subject: [PATCH 02/12] labels --- .../endpoint-labels.mdx | 128 +++++++++++++----- 1 file changed, 91 insertions(+), 37 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index 7e234c0b557cd78..e715fbae82432ae 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -7,7 +7,7 @@ sidebar: label: Labeling service --- -import { Render, Steps } from "~/components"; +import { Render, Steps, Tabs, TabItem } from "~/components"; API Shield's labeling service will help you organize your endpoints and address vulnerabilities in your API. The labeling service comes with managed and user-defined labels. @@ -81,48 +81,102 @@ Cloudflare will only add authentication labels to endpoints with successful resp ## Create a label - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **Settings** > **Labels**. -3. Under **Security labels**, select **Create label**. -4. Name the label and add an optional label description. -5. Apply the label to your selected endpoints. -6. Select **Create label**. - - -Alternatively, you can create a user-defined label via Endpoint Management in API Shield: - - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **Settings** > **Labels**. -3. Choose the endpoint that you want to label. -4. Select **Edit labels**. -5. Under **User**, select **Create user label**. -6. Enter the label name. -7. Select **Create**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **Settings** > **Labels**. + 3. Under **Security labels**, select **Create label**. + 4. Name the label and add an optional label description. + 5. Apply the label to your selected endpoints. + 6. Select **Create label**. + + + Alternatively, you can create a user-defined label via Endpoint Management in API Shield: + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **Settings** > **Labels**. + 3. Choose the endpoint that you want to label. + 4. Select **Edit labels**. + 5. Under **User**, select **Create user label**. + 6. Enter the label name. + 7. Select **Create**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings**. + 3. Filter by **API abuse**. + 4. Under **Endpoint labels**, select **Manage label**. + 5. Name the label and add an optional label description. + 6. Apply the label to your selected endpoints. + 7. Select Create label. + + Alternatively, you can create a user-defined label via **Security** > **Web Assets**. + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Endpoints**. + 3. Choose the endpoint that you want to label. + 4. Select **Edit endpoint labels**. + 5. Under **User**, select **Create user label**. + 6. Enter the label name. + 7. Select **Create**. + + + ## Apply a label to an individual endpoint - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield** > **Endpoint Management**. -3. Choose the endpoint that you want to label. -4. Select **Edit labels**. -5. Add the label(s) that you want to use for the endpoint from the list of managed and user-defined labels. -6. Select **Save labels**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield** > **Endpoint Management**. + 3. Choose the endpoint that you want to label. + 4. Select **Edit labels**. + 5. Add the label(s) that you want to use for the endpoint from the list of managed and user-defined labels. + 6. Select **Save labels**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Endpoints**. + 3. Choose the endpoint that you want to label. + 4. Select **Edit endpoint labels**. + 5. Add the label(s) that you want to use for the endpoint from the list of managed and user-defined labels. + 6. Select **Save labels**. + + + ## Bulk apply labels to multiple endpoints - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **Settings** > **Labels**. -3. On the existing label that you want to apply to multiple endpoints, select **Bulk apply**. -4. Choose the endpoints that you want to label by selecting its checkbox. -5. Select **Save label**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **Settings** > **Labels**. + 3. On the existing label that you want to apply to multiple endpoints, select **Bulk apply**. + 4. Choose the endpoints that you want to label by selecting its checkbox. + 5. Select **Save label**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings**. + 3. Filter by **API abuse**. + 4. On **Endpoint labels**, select **Manage labels**. + 5. On the existing label that you want to apply to multiple endpoints, select Bulk apply. + 6. Choose the endpoints that you want to label by selecting its checkbox. + 7. Select **Apply label**. + + + ## Availability -Endpoint Management's labeling service is available to all customers. \ No newline at end of file +Endpoint labeling is available to all customers. \ No newline at end of file From fe5d6178acc51a66e3bb74502343a19311d4c8a9 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 12:05:18 -0700 Subject: [PATCH 03/12] routing --- .../management-and-monitoring/api-routing.mdx | 16 ++-------- src/content/partials/api-shield/routing.mdx | 32 +++++++++++++------ .../partials/api-shield/source-endpoints.mdx | 29 ++++++++++++----- 3 files changed, 46 insertions(+), 31 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/api-routing.mdx b/src/content/docs/api-shield/management-and-monitoring/api-routing.mdx index cc1b4e0d77eb518..32b97ffeecbdfea 100644 --- a/src/content/docs/api-shield/management-and-monitoring/api-routing.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/api-routing.mdx @@ -24,23 +24,11 @@ Once your Source Endpoints are added to Endpoint Management, use the following s ### Create a route - + -### Edit a route - - - -### Remove a route - - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. In **Endpoint Management**, select an existing endpoint and expand its details. -4. Under **Routing**, select **Edit routing**. -5. Select **Delete route**. - +You can also edit or delete a route by selecting **Edit route** on an existing route. ### Test a route diff --git a/src/content/partials/api-shield/routing.mdx b/src/content/partials/api-shield/routing.mdx index 508e5b055d1ab97..15b730619728156 100644 --- a/src/content/partials/api-shield/routing.mdx +++ b/src/content/partials/api-shield/routing.mdx @@ -3,13 +3,27 @@ inputParameters: param1;;param2 --- -import { Markdown, Steps } from "~/components" +import { Markdown, Steps, Tabs, TabItem } from "~/components" - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. In **Endpoint Management**, select an existing endpoint and expand its details. -4. Under **Routing**, select **{props.one} {props.two}**. -5. Enter the target URL or IP address to route your endpoint to. -6. Select **Deploy route**. - \ No newline at end of file + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield**. + 3. In **Endpoint Management**, select an existing endpoint and expand its details. + 4. Under **Routing**, select **Create route**. + 5. Enter the target URL or IP address to route your endpoint to. + 6. Select **Deploy route**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets**. + 3. In **Endpoints**, select an existing endpoint and expand its details. + 4. Under **Routing**, select **Create route**. + 5. Enter the target URL or IP address to route your endpoint to. + 6. Select **Deploy route**. + + + diff --git a/src/content/partials/api-shield/source-endpoints.mdx b/src/content/partials/api-shield/source-endpoints.mdx index 5a7a64b73fd56e4..4961faa941c92cf 100644 --- a/src/content/partials/api-shield/source-endpoints.mdx +++ b/src/content/partials/api-shield/source-endpoints.mdx @@ -3,16 +3,29 @@ --- -import { Steps } from "~/components" +import { Steps, Tabs, TabItem } from "~/components" You must add Source Endpoints to Endpoint Management through established methods, including [uploading a schema](/api-shield/security/schema-validation/#add-validation-by-uploading-a-schema), via [API Discovery](/api-shield/security/api-discovery/), or by [adding manually](/api-shield/management-and-monitoring/#add-endpoints-manually), before creating a route. To create a route, you will need the operation ID of the Source Endpoint. To find the operation ID in the dashboard: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Filter the endpoints to find your **Source Endpoint**. -4. Expand the row for your Source Endpoint and note the **operation ID** field. -5. Select the copy icon to copy the operation ID to your clipboard. - \ No newline at end of file + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Filter the endpoints to find your **Source Endpoint**. + 4. Expand the row for your Source Endpoint and note the **operation ID** field. + 5. Select the copy icon to copy the operation ID to your clipboard. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Select **Security** > **Web assets**. + 3. Filter the endpoints to find your **Source Endpoint**. + 4. Expand the row for your Source Endpoint and note the **operation ID** field. + 5. Select the copy icon to copy the operation ID to your clipboard. + + + \ No newline at end of file From aa54d46cc00cf612f92ca0537622f46a8098fe38 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 12:12:08 -0700 Subject: [PATCH 04/12] dev portals --- .../developer-portal.mdx | 53 +++++++++++++------ 1 file changed, 37 insertions(+), 16 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx index 3fdb244b1765c47..9bff4b6de0255b6 100644 --- a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx @@ -7,26 +7,47 @@ sidebar: --- -import { GlossaryTooltip, Steps } from "~/components" +import { GlossaryTooltip, Tabs, TabItem, Steps } from "~/components" -Once endpoints are saved into Endpoint Management, API Shield doubles as an API catalog. API Shield can build an interactive documentation portal with the knowledge it has of your APIs, or you can upload a new OpenAPI schema file to build a documentation portal ad-hoc. +Once your endpoints are saved, API Shield doubles as an API catalog. API Shield can build an interactive documentation portal with the knowledge it has of your APIs, or you can upload a new OpenAPI schema file to build a documentation portal ad-hoc. To create a developer portal: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield** > **Settings**. -3. Under **Create a developer portal**, select **Create site**. -4. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield. - :::note - If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters. - - Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas - ::: -5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages. -6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content. -7. Select **Deploy site**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield** > **Settings**. + 3. Under **Create a developer portal**, select **Create site**. + 4. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield. + :::note + If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters. + + Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas + ::: + 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages. + 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content. + 7. Select **Deploy site**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings** + 3. Filter by **API abuse**. + 4. On **Create a developer portal**, select **Create site**. + 4. Upload an OpenAPI v3.0 schema file or choose to select an existing schema from API Shield. + :::note + If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters. + + Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas + ::: + 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages. + 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content. + 7. Select **Deploy site**. + + + ### Custom domains From 7be827dc028cf0b3627df8ccd6a0fa32bd1e66a3 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 12:14:52 -0700 Subject: [PATCH 05/12] schema learning --- .../endpoint-management/schema-learning.mdx | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx index fda868ee8d9afa4..73e25d2c2881999 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/schema-learning.mdx @@ -6,7 +6,7 @@ sidebar: order: 2 --- -import { Steps } from "~/components" +import { Steps, Tabs, TabItem } from "~/components" Cloudflare learns schema parameters via traffic inspection. For all endpoints saved to Endpoint Management, you can export the learned schema in OpenAPI `v3.0.0` format by hostname. @@ -14,14 +14,26 @@ To protect your API with a learned schema, refer to [Schema validation](/api-shi ## Export a schema - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Navigate to **Endpoint Management**. -4. Select **Export schema** and choose a hostname to export. -5. Select whether to include [learned parameters](/api-shield/management-and-monitoring/#learned-schemas-will-always-include) and [rate limit recommendations](/api-shield/security/volumetric-abuse-detection/) -6. Select **Export schema** and choose a location to save the file. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield** > **Endpoint Management**. + 4. Select **Export schema** and choose a hostname to export. + 5. Select whether to include [learned parameters](/api-shield/management-and-monitoring/#learned-schemas-will-always-include) and [rate limit recommendations](/api-shield/security/volumetric-abuse-detection/) + 6. Select **Export schema** and choose a location to save the file. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Endpoints**. + 3. Select **Export schema** and choose a hostname to export. + 4. Select whether to include learned parameters and rate limit recommendations + 5. Select **Export schema** and choose a location to save the file. + + + :::note The schema is saved as a JSON file in OpenAPI `v3.0.0` format. From 341e42322a72aa735dc1b0b508a256ca29023d4c Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 12:51:07 -0700 Subject: [PATCH 06/12] jwt validation --- .../security/jwt-validation/index.mdx | 83 ++++++++++++++----- 1 file changed, 60 insertions(+), 23 deletions(-) diff --git a/src/content/docs/api-shield/security/jwt-validation/index.mdx b/src/content/docs/api-shield/security/jwt-validation/index.mdx index 70eff8557386462..d1aa751773728ba 100644 --- a/src/content/docs/api-shield/security/jwt-validation/index.mdx +++ b/src/content/docs/api-shield/security/jwt-validation/index.mdx @@ -6,7 +6,7 @@ sidebar: --- -import { GlossaryTooltip, Steps } from "~/components" +import { GlossaryTooltip, Steps, Tabs, TabItem } from "~/components" JSON web tokens (JWT) are often used as part of an authentication component on many web applications today. Since JWTs are crucial to identifying users and their access, ensuring the token’s integrity is important. @@ -20,14 +20,29 @@ A JWT validation configuration consists of creating a token validation configura ### Add a token validation configuration - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. -2. Go to **Security** > **API Shield** > **Settings**. -3. Under **JSON Web Token Settings**, select **Add configuration**. -4. Add a name for your configuration. -5. Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name. -6. Copy and paste your JWT issuer's public key(s) (JWKS). - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **API Shield** > **Settings**. + 3. Under **JSON Web Token Settings**, select **Add configuration**. + 4. Add a name for your configuration. + 5. Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name. + 6. Copy and paste your JWT issuer's public key(s) (JWKS). + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings**. + 3. Filter by **API abuse**. + 4. On **Token configurations**, select **Configure tokens**. + 5. Add a name for your configuration. + 6. Choose where Cloudflare can locate the JWT for this configuration on incoming requests, such as a header or cookie and its name. + 7. Copy and paste your JWT issuer's public key(s) (JWKS). + + + Each JWT issuer typically publishes public keys (JWKS) for verification at a known URL on the Internet. If you do not know where to get them, contact your identity administrator. @@ -35,20 +50,42 @@ To automatically keep your JWKS up to date when your identity provider refreshes ### Add a JWT validation rule - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. -2. Go to **Security** > **API Shield** > **API Rules**. -3. - Add a name for your rule. -4. Select a hostname to protect requests with saved endpoints using the rule. -5. Deselect any endpoints that you want JWT validation to ignore (for example, an endpoint used to generate a JWT). -6. Select the token validation configuration that corresponds to the incoming requests. -7. Choose whether to strictly enforce token presence on these endpoints. - - You may not expect 100% of clients to send in JWTs with their requests. If this is the case, choose *Ignore*. JWT validation will still validate JWTs that are present. - - You may otherwise expect all requests to the selected hostname and endpoints to contain JWTs. If this is the case, choose *Mark as non-compliant*. -8. Choose an action to take for non-compliant requests. For example, JWTs that do not pass validation (expired, tampered with, or bad signature tokens) or requests with missing JWTs when *Mark as non-compliant* is selected in the previous step. -9. Select **Save**. - + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **API Shield** > **API Rules**. + 3. + Add a name for your rule. + 4. Select a hostname to protect requests with saved endpoints using the rule. + 5. Deselect any endpoints that you want JWT validation to ignore (for example, an endpoint used to generate a JWT). + 6. Select the token validation configuration that corresponds to the incoming requests. + 7. Choose whether to strictly enforce token presence on these endpoints. + - You may not expect 100% of clients to send in JWTs with their requests. If this is the case, choose *Ignore*. JWT validation will still validate JWTs that are present. + - You may otherwise expect all requests to the selected hostname and endpoints to contain JWTs. If this is the case, choose *Mark as non-compliant*. + 8. Choose an action to take for non-compliant requests. For example, JWTs that do not pass validation (expired, tampered with, or bad signature tokens) or requests with missing JWTs when *Mark as non-compliant* is selected in the previous step. + 9. Select **Save**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Security rules**. + 3. On API JWT validation rules, select **Create rule**. + 4. + Add a name for your rule. + 5. Select a hostname to protect requests with saved endpoints using the rule. + 6. Deselect any endpoints that you want JWT validation to ignore (for example, an endpoint used to generate a JWT). + 7. Select the token validation configuration that corresponds to the incoming requests. + 8. Choose whether to strictly enforce token presence on these endpoints. + - You may not expect 100% of clients to send in JWTs with their requests. If this is the case, choose *Ignore*. JWT validation will still validate JWTs that are present. + - You may otherwise expect all requests to the selected hostname and endpoints to contain JWTs. If this is the case, choose *Mark as non-compliant*. + 9. Choose an action to take for non-compliant requests. For example, JWTs that do not pass validation (expired, tampered with, or bad signature tokens) or requests with missing JWTs when *Mark as non-compliant* is selected in the previous step. + 10. Select **Save**. + + + :::note From 83dd9095125967e43a9f81fff27a5a7364924d33 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 13:04:25 -0700 Subject: [PATCH 07/12] authentication posture --- .../security/authentication-posture.mdx | 31 +++++++++++++------ 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/src/content/docs/api-shield/security/authentication-posture.mdx b/src/content/docs/api-shield/security/authentication-posture.mdx index ae50e2b7531bc4e..641f41df9fe78c7 100644 --- a/src/content/docs/api-shield/security/authentication-posture.mdx +++ b/src/content/docs/api-shield/security/authentication-posture.mdx @@ -7,13 +7,13 @@ sidebar: --- -import { GlossaryTooltip, Render, Steps } from "~/components" +import { GlossaryTooltip, Render, Steps, Tabs, TabItem } from "~/components" Authentication Posture helps users identify authentication misconfigurations for APIs and alerts of their presence. For example, a security team member may believe that their API hosted at `/api/v1/users` and `/api/v1/orders` are guarded by the fact that only authenticated users can interact with the endpoints. However, bugs in origin API authentication policies may lead to broken authentication vulnerabilities. Authentication Posture with API Shield details the authentication status of successful requests to your API endpoints, alerting to potential misconfigurations. -Consider a typical e-commerce application. Users can browse items and prices without being logged in. However, to retrieve order details with the `GET /api/v1/orders/{order_id}` endpoint, this example application requires users to log in to their account and pass the subsequent Authorization HTTP header in all requests. Cloudflare will alert via [Security Center Insights](/security-center/security-insights/) and [Endpoint Management labels](/api-shield/management-and-monitoring/endpoint-labels/) if successful requests are sent to the `GET /api/v1/orders/{order_id}` endpoint or any other endpoint without authentication when session identifiers are configured. +Consider a typical e-commerce application. Users can browse items and prices without being logged in. However, to retrieve order details with the `GET /api/v1/orders/{order_id}` endpoint, this example application requires users to log in to their account and pass the subsequent Authorization HTTP header in all requests. Cloudflare will alert via [Security Center Insights](/security-center/security-insights/) and [Endpoint labels](/api-shield/management-and-monitoring/endpoint-labels/) if successful requests are sent to the `GET /api/v1/orders/{order_id}` endpoint or any other endpoint without authentication when session identifiers are configured. ## Process @@ -23,13 +23,26 @@ After configuring [session identifiers](/api-shield/get-started/#session-identif ### Examine an endpoint's authentication details - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield** > **Endpoint Management**. -3. Filter Endpoint Management by the `cf-risk-missing-auth` or `cf-risk-mixed-auth` labels. -4. Select an endpoint to see its authentication posture details on the endpoint details page. -5. Choose between the 24-hour and 7-day view options, and note any authentication changes over time. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield** > **Endpoint Management**. + 3. Filter Endpoint Management by the `cf-risk-missing-auth` or `cf-risk-mixed-auth` labels. + 4. Select an endpoint to see its authentication posture details on the endpoint details page. + 5. Choose between the 24-hour and 7-day view options, and note any authentication changes over time. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Endpoints**. + 3. Filter your endpoints by the `cf-risk-missing-auth` or `cf-risk-mixed-auth` labels. + 4. Select an endpoint to see its authentication posture details on the endpoint details page. + 5. Choose between the 24-hour and 7-day view options, and note any authentication changes over time. + + + The main authentication widget displays how many successful requests over the last seven days had session identifiers included with them, and which identifiers were included with the traffic. From e08c324f773ff081f32d514b012d4073e8ad2796 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Thu, 3 Jul 2025 13:34:50 -0700 Subject: [PATCH 08/12] endpoint mgmt --- .../endpoint-management/index.mdx | 147 +++++++++++++----- 1 file changed, 109 insertions(+), 38 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx index 24281fc9e781bf4..a05a6705d15a264 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx @@ -7,7 +7,7 @@ sidebar: --- -import { GlossaryTooltip, Plan, Steps } from "~/components" +import { GlossaryTooltip, Plan, Steps, Tabs, TabItem } from "~/components" @@ -26,39 +26,85 @@ When an endpoint is using [Cloudflare Workers](/workers/), the metrics data will ## Access - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Add your endpoints [manually](#add-endpoints-manually), from [Schema validation](#add-endpoints-from-schema-validation), or from [API Discovery](#add-endpoints-from-api-discovery). - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Add your endpoints [manually](#add-endpoints-manually), from [Schema validation](#add-endpoints-from-schema-validation), or from [API Discovery](#add-endpoints-from-api-discovery). + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Endpoints**. + 3. Select **Add endpoints**. + 4. Add your endpoints [manually](#add-endpoints-manually), from [Schema validation](#add-endpoints-from-schema-validation), or from [API Discovery](#add-endpoints-from-api-discovery). + + + ### Add endpoints from API Discovery There are two ways to add API endpoints from Discovery. -#### Add from the Endpoint Management Tab - - -1. From Endpoint Management, select **Add endpoints** > **Select from Discovery** tab. -2. Select the discovered endpoints you would like to add. -3. Select **Add endpoints**. - - -#### Add from the Discovery Tab - - -1. From Endpoint Management, select the **Discovery** tab. -2. Select the discovered endpoints you would like to add. -3. Select **Save selected endpoints**. - - -### Add endpoints from Schema validation - - -1. Add a schema by [configuring Schema validation](/api-shield/security/schema-validation/). -2. On **Review schema endpoints**, save new endpoints to endpoint management by checking the box. -3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the Schema is saved as a draft or published. - +#### Add from the Endpoints tab + + + + + 1. From **Endpoint Management**, select **Add endpoints** > **Select from Discovery** tab. + 2. Select the discovered endpoints you would like to add. + 3. Select **Add endpoints**. + + + + + 1. From **Endpoints**, go to **Add endpoints** > **Select from Discovery** tab. + 2. Select the discovered endpoints you would like to add. + 3. Select **Add endpoints**. + + + + +#### Add from the Discovery tab + + + + + 1. From Endpoint Management, select the **Discovery** tab. + 2. Select the discovered endpoints you would like to add. + 3. Select **Save selected endpoints**. + + + + + 1. From **Web assets**, go to the **Discovery** tab. + 2. Select the discovered endpoints you would like to add. + 3. Select **Save selected endpoints**. + + + + +### Add endpoints from Schema Validation + + + + + 1. Add a schema by [configuring Schema validation](/api-shield/security/schema-validation/). + 2. On **Review schema endpoints**, save new endpoints to endpoint management by checking the box. + 3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the Schema is saved as a draft or published. + + + + + 1. From **Web assets**, go to the **Endpoints** tab. + 2. Select **Add endpoints** > **Upload Schema**. + 3. Upload a schema file. + 4. Select **Add schema and endpoints**. + + + API Shield will look for duplicate endpoints that have the same host, method, and path. Duplicate endpoints will not be saved to endpoint management. @@ -68,11 +114,25 @@ If you deselect **Save new endpoints to endpoint management**, the endpoints wil ### Add endpoints manually - -1. From Endpoint Management, select **Add endpoints** > **Manually add**. -2. Choose the method from the dropdown menu and add the path and hostname for the endpoint. -3. Select **Add endpoints**. - + + + + + 1. From Endpoint Management, select **Add endpoints** > **Manually add**. + 2. Choose the method from the dropdown menu and add the path and hostname for the endpoint. + 3. Select **Add endpoints**. + + + + + 1. From **Web assets**, go to the **Endpoints** tab. + 2. Select **Add endpoints** > **Manually add**. + 3. Choose the method from the dropdown menu and add the path and hostname for the endpoint. + 4. Select **Add endpoints**. + + + + :::note By selecting multiple checkboxes, you can add several endpoints from Discovery at once instead of individually. @@ -106,10 +166,21 @@ For more information on how Cloudflare uses variables in API Shield, refer to th You can delete endpoints one at a time or in bulk. - -1. From Endpoint Management, select the checkboxes for the endpoints that you want to delete. -2. Select **Delete endpoints**. - + + + + 1. From Endpoint Management, select the checkboxes for the endpoints that you want to delete. + 2. Select **Delete endpoints**. + + + + + 1. From **Web assets**, go to the **Endpoints** tab. + 2. Select the checkboxes for the endpoints that you want to delete. + 3. Select **Delete endpoints**. + + + ## Endpoint Analysis From 6099445bd057c3376439e40ad340b41ce767051b Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 7 Jul 2025 09:56:41 -0700 Subject: [PATCH 09/12] schema validation --- .../security/schema-validation/index.mdx | 308 +++++++++++++----- 1 file changed, 223 insertions(+), 85 deletions(-) diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx index f7c6f0d9e3245af..1574ad81757c38b 100644 --- a/src/content/docs/api-shield/security/schema-validation/index.mdx +++ b/src/content/docs/api-shield/security/schema-validation/index.mdx @@ -6,7 +6,7 @@ sidebar: --- -import { GlossaryDefinition, GlossaryTooltip, Plan, Steps } from "~/components" +import { GlossaryDefinition, GlossaryTooltip, Plan, Steps, Tabs, TabItem } from "~/components" @@ -33,15 +33,28 @@ To view the contents in your learned schema, refer to [Export a schema](/api-shi ### Add validation by uploading a schema - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to **Schema Validation** and select **Add validation**. -4. Select your schema file for upload. -5. Observe the listed endpoints, their host, method, and path. Any new endpoints will automatically be added to Endpoint Management. -6. Choose an action for the non-compliant requests to your endpoints. -7. Select **Add schema and endpoints**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to **Schema Validation** and select **Add validation**. + 4. Select your schema file for upload. + 5. Observe the listed endpoints, their host, method, and path. Any new endpoints will automatically be added to Endpoint Management. + 6. Choose an action for the non-compliant requests to your endpoints. + 7. Select **Add schema and endpoints**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Add validation**. + 4. Upload a schema file. + 5. Select **Add schema and endpoints**. + + + :::note Changes may take a few minutes to process depending on the number of added endpoints. @@ -49,27 +62,55 @@ Changes may take a few minutes to process depending on the number of added endpo ### Add validation by applying a learned schema to a single endpoint - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to **Schema Validation** and filter by the learned schema available. -4. Select **Apply learned schema**. -5. Choose an action and select **Apply schema**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to **Schema Validation** and filter by the learned schema available. + 4. Select **Apply learned schema**. + 5. Choose an action and select **Apply schema**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Add validation**. + 4. Select **Apply learned schema**. + 5. Choose an action and select **Apply schema**. + + + ### Add validation by applying a learned schema to an entire hostname At this time, learned schemas will not overwrite customer-uploaded schemas. If an endpoint is covered by a customer-uploaded schema and also appears in a learned schema, the **Changes** field is set to `Unaffected`. - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to **Schema Validation** and select **Add validation**. -4. Select **Apply learned schema**. -5. Choose a hostname and review the endpoints that will be protected by the learned schema. -6. (Optional) Change the action if a request does not match the schema. -7. Select **Apply schema**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to **Schema Validation** and select **Add validation**. + 4. Select **Apply learned schema**. + 5. Choose a hostname and review the endpoints that will be protected by the learned schema. + 6. (Optional) Change the action if a request does not match the schema. + 7. Select **Apply schema**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Add validation**. + 4. Select **Apply learned schema**. + 5. Choose a hostname and review the endpoints that will be protected by the learned schema. + 6. (Optional) Change the action if a request does not match the schema. + 7. Select **Apply schema**. + + + :::note If an endpoint is currently protected by a learned schema, the date of the last applied learned schema will be shown in the current schema field. @@ -83,18 +124,32 @@ By ensuring that all your endpoints in a schema are added to Endpoint Management To set up a fallthrough action: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. Under **Settings**, go to **Fallthrough settings**. -4. Select **Use Template**. -5. Choose one or more hostnames from the drop down menu. The fallthrough rule will act on all traffic that does not match an existing endpoint in Endpoint Management to the selected hostnames. -6. Select **Continue to custom rule**. -7. Name your rule and select your action. -8. Select **Save as draft** to deploy later, or **Deploy** to deploy now. - - -Your current fallthrough rules can be viewed in the custom rules list or in API Shield's settings under **Fallthrough settings**. + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield**. + 3. Under **Settings**, go to **Fallthrough settings**. + 4. Select **Use Template**. + 5. Choose one or more hostnames from the drop down menu. The fallthrough rule will act on all traffic that does not match an existing endpoint in Endpoint Management to the selected hostnames. + 6. Select **Continue to custom rule**. + 7. Name your rule and select your action. + 8. Select **Save as draft** to deploy later, or **Deploy** to deploy now. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Settings**. + 3. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template. + 4. Give your rule a descriptive name. + 5. Choose one or more hostnames from the dropdown menu and select your action. + 6. Select **Save as draft** to deploy later, or **Deploy** to deploy now. + + + + +Your current fallthrough rules can be viewed in the custom rules list. :::note You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom rule for a more customized logic check. This detection will evaluate as `true` when a request does not match an endpoint in Endpoint Management, so it is important to check against your API's hostname or root path to ensure that you are not blocking any non-API traffic on your zone. @@ -102,16 +157,30 @@ You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom ### Change the action of an entire schema - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to **Schema Validation** and select the schema in the Schema list. -4. Check the multi-select box to select the endpoints shown on the current page. -5. Choose **Select all endpoints**. -6. Select **Change Action**. -7. Choose an action from the dropdown menu. -8. Select **Set action**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to **Schema Validation** and select the schema in the Schema list. + 4. Check the multi-select box to select the endpoints shown on the current page. + 5. Choose **Select all endpoints**. + 6. Select **Change Action**. + 7. Choose an action from the dropdown menu. + 8. Select **Set action**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Check the multi-select box to select all endpoints associated with the schema. + 4. Select **Change Action**. + 5. Choose an action from the dropdown menu. + 6. Select **Set action**. + + + ### Change the global default action of Schema Validation @@ -123,16 +192,31 @@ Schema Validation’s default action is visible on the main Schema Validation pa To change the default action: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. Select **Schema Validation**. -4. Under the default `Log` action, select **Change**. -5. Choose a new action from the dropdown menu. -6. Observe the current action and accept the change by selecting **Change default action** in the popup window. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield**. + 3. Select **Schema Validation**. + 4. Under the default `Log` action, select **Change**. + 5. Choose a new action from the dropdown menu. + 6. Observe the current action and accept the change by selecting **Change default action** in the popup window. + + Alternatively, you can modify the global action via **Security** > **API Shield** > **Settings**. + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Schema Validation**. + 4. Under the default `Log` action, select **Change**. + 5. Choose a new action from the dropdown menu. + 6. Observe the current action and accept the change by selecting **Change default action** in the popup window. + + Alternatively, you can modify the global action via **Security** > **Settings** > **Schema Validation**. + + -Alternatively, you can modify the global action via **Security** > **API Shield** > **Settings**. ### Change the action of a single endpoint @@ -142,14 +226,28 @@ This allows you to be stricter on blocking non-compliant requests on certain end To change the action on an individual endpoint: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. Select **Schema Validation** and filter the selected endpoint. -4. Select the ellipses on the endpoint's row. -5. Select **Change Action**. -6. Choose a new action from the dropdown menu and select **Set action**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Go to **Security** > **API Shield**. + 3. Select **Schema Validation** and filter the selected endpoint. + 4. Select the ellipses on the endpoint's row. + 5. Select **Change action**. + 6. Choose a new action from the dropdown menu and select **Set action**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Schema Validation** and filter the selected endpoint. + 4. Select the ellipses on the endpoint's row. + 5. Select **Change action**. + 6. Choose a new action from the dropdown menu and select **Set action**. + + + ### Disable Schema Validation without changing actions @@ -157,24 +255,50 @@ You can disable Schema Validation entirely for temporary troubleshooting. You ca To disable Schema Validation without changing actions: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to the **Schema Validation** settings. -4. Select **Disable**. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to the **Schema Validation** settings. + 4. Select **Disable**. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Schema settings**. + 4. Filter by **API abuse**. + 5. Turn **Schema Validation** off. + + + Your per-endpoint configurations will be saved when modifying the setting, so that you do not lose your configuration. To re-enable your configurations after troubleshooting, navigate back to the settings and select **Enable**. ### View active schemas - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to your **Schema Validation** settings. -4. View your schemas under **Uploaded Schemas** and **Learned schemas**. -5. Select **Filter** on the endpoints in either schema. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to your **Schema Validation** settings. + 4. View your schemas under **Uploaded Schemas** and **Learned schemas**. + 5. Select **Filter** on the endpoints in either schema. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Schema settings**. + 4. Filter by **API abuse**. + 5. View your schemas on **Schema Validation** > **Active schemas**. + + + ### Delete active schemas @@ -182,13 +306,27 @@ Deleting the schema will remove validation from the currently associated endpoin To delete currently uploaded or learned schemas: - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Select **Security** > **API Shield**. -3. Go to your **Schema Validation** settings. -4. View your schemas under **Uploaded Schemas** and **Learned schemas**. -5. Select the ellipses to access the menu and download or delete the listed schema. - + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. + 2. Select **Security** > **API Shield**. + 3. Go to your **Schema Validation** settings. + 4. View your schemas under **Uploaded Schemas** and **Learned schemas**. + 5. Select the ellipses to access the menu and download or delete the listed schema. + + + + + 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. + 2. Go to **Security** > **Web assets** > **Schema Validation**. + 3. Select **Schema settings**. + 4. Filter by **API abuse**. + 5. View your schemas on **Schema Validation** > **Active schemas**. + 6. Select the ellipses to access the menu and download or delete the listed schema. + + + ## Specifications From 6167af9aa75e97daaf39c1f9470b615e396c3479 Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 7 Jul 2025 10:01:58 -0700 Subject: [PATCH 10/12] schema validation edits --- .../api-shield/security/schema-validation/index.mdx | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/content/docs/api-shield/security/schema-validation/index.mdx b/src/content/docs/api-shield/security/schema-validation/index.mdx index 1574ad81757c38b..de211b1fe3d0b06 100644 --- a/src/content/docs/api-shield/security/schema-validation/index.mdx +++ b/src/content/docs/api-shield/security/schema-validation/index.mdx @@ -141,10 +141,11 @@ To set up a fallthrough action: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** > **Settings**. - 3. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template. - 4. Give your rule a descriptive name. - 5. Choose one or more hostnames from the dropdown menu and select your action. - 6. Select **Save as draft** to deploy later, or **Deploy** to deploy now. + 3. Filter by **API abuse**. + 4. Under **Custom fallthrough rules**, select **Create custom fallthrough rule** to create a custom fallthrough rule with the template. + 5. Give your rule a descriptive name. + 6. Choose one or more hostnames from the dropdown menu and select your action. + 7. Select **Save as draft** to deploy later, or **Deploy** to deploy now. @@ -165,7 +166,7 @@ You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom 3. Go to **Schema Validation** and select the schema in the Schema list. 4. Check the multi-select box to select the endpoints shown on the current page. 5. Choose **Select all endpoints**. - 6. Select **Change Action**. + 6. Select **Change action**. 7. Choose an action from the dropdown menu. 8. Select **Set action**. @@ -175,7 +176,7 @@ You can use the `cf.api_gateway.fallthrough_triggered` syntax in your own custom 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** > **Web assets** > **Schema Validation**. 3. Check the multi-select box to select all endpoints associated with the schema. - 4. Select **Change Action**. + 4. Select **Change action**. 5. Choose an action from the dropdown menu. 6. Select **Set action**. From 4824ee7457c8f2fab645077a920eb1e5d1e8fa2f Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Mon, 7 Jul 2025 10:09:49 -0700 Subject: [PATCH 11/12] volumetric abuse detection --- .../security/volumetric-abuse-detection.mdx | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx b/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx index 108fe4317873a58..9a94ed7ab713990 100644 --- a/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx +++ b/src/content/docs/api-shield/security/volumetric-abuse-detection.mdx @@ -29,11 +29,17 @@ Volumetric Abuse Detection analyzes your API’s individual session traffic stat Volumetric Abuse Detection currently requires a session identifier, like an authorization token available as a request header or cookie. -After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in **Security** > **API Shield** > **Endpoint Management** on the Cloudflare dashboard. Recommendations will continue to update if your traffic pattern changes. +After adding a session identifier, allow 24 hours for rate limit recommendations to appear on endpoints in the Cloudflare dashboard. + +Old dashboard: **Security** > **API Shield** > **Endpoint Management** + +New dashboard: **Security** > **Web Assets** > **Endpoints** + +Recommendations will continue to update if your traffic pattern changes. ### Observe rate limits -Once rate limit recommendations appear in **Endpoint Management**, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values. +Once rate limit recommendations appear in **Endpoints**, select the endpoint row to view more detail about the recommendation. You will see the overall recommended rate limit value, as well as p99, p90, and p50 rate limit values. Cloudflare recommends choosing the overall rate limit recommendation, as our analysis includes the variance of the request rate distribution across your API sessions. Choosing a single p-value may cause false positives due to a high number of outliers. @@ -42,25 +48,13 @@ Cloudflare recommends choosing the overall rate limit recommendation, as our ana p-values describe what percentile of your traffic fits below the value. For example, if your p90 value is `83`, then 90% of your sessions had maximum request rates less than 83 requests per 10 minutes. ::: -In **Endpoint Management**, you can review our confidence in the recommendation and how many unique sessions we have seen over the last seven (7) days. In general, endpoints with fewer unique sessions and high variability of user behavior will have lower confidence scores. +In **Endpoints**, you can review our confidence in the recommendation and how many unique sessions we have seen over the last seven (7) days. In general, endpoints with fewer unique sessions and high variability of user behavior will have lower confidence scores. Implementing low confidence rate limits can still be helpful to prevent API abuse. If you are hesitant due to the recommendation’s confidence, we suggest starting your rate limit rule in `log` mode and observing violations of the rule for false positives. ### Create rate limits - -1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. -2. Go to **Security** > **API Shield**. -3. In **Endpoint Management**, select an endpoint. -4. Select **Create rule** to be automatically redirected to the Advanced Rate Limiting rules dashboard. - :::note - Your endpoint information, session identifier, and recommended rate limit will be pre-filled into the rule. The pre-filled rule will only be enforced when the session identifiers are present on incoming requests. - - To apply rate limits to all requests, remove the `exists` logic in the rule and refer to the disclaimer in the [WAF documentation](/waf/rate-limiting-rules/parameters/#missing-field-versus-empty-value). - ::: -5. Give your rule a name, action, and duration. -6. Select **Deploy** to activate your rule. - +Refer to the [Rules documentation](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/) for more information on how to create an Advanced Rate Limiting rule. ## API From 000db9de3bd0b34928d093ac1e48595bda73b48a Mon Sep 17 00:00:00 2001 From: Patricia Loraine Santa Ana Date: Wed, 9 Jul 2025 08:57:02 -0700 Subject: [PATCH 12/12] feedback --- .../management-and-monitoring/developer-portal.mdx | 4 ++-- .../management-and-monitoring/endpoint-labels.mdx | 4 ++-- .../management-and-monitoring/endpoint-management/index.mdx | 2 +- .../docs/api-shield/security/jwt-validation/index.mdx | 6 ++---- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx index 9bff4b6de0255b6..a89c72497b64489 100644 --- a/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/developer-portal.mdx @@ -23,7 +23,7 @@ To create a developer portal: :::note If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters. - Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas + Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas. ::: 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages. 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content. @@ -40,7 +40,7 @@ To create a developer portal: :::note If you do not have a schema to upload or to select from a pre-existing schema, export your Endpoint Management schema. For best results, include the learned parameters. - Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas + Only API schemas uploaded to Schema validation 2.0 are available when selecting existing schemas. ::: 5. Select **Download project files** to save a local copy of the files that will be uploaded to Cloudflare Pages. Downloading the project files can be helpful if you wish to modify the project in any way and then upload the new version manually to Pages. 6. Select **Create pages project** to begin project creation. A new Pages project will be automatically created and your API schema will be automatically uploaded to the project along with other supporting static content. diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index e715fbae82432ae..cd77b3450c2a345 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -112,7 +112,7 @@ Cloudflare will only add authentication labels to endpoints with successful resp 4. Under **Endpoint labels**, select **Manage label**. 5. Name the label and add an optional label description. 6. Apply the label to your selected endpoints. - 7. Select Create label. + 7. Select **Create label**. Alternatively, you can create a user-defined label via **Security** > **Web Assets**. @@ -170,7 +170,7 @@ Cloudflare will only add authentication labels to endpoints with successful resp 2. Go to **Security** > **Settings**. 3. Filter by **API abuse**. 4. On **Endpoint labels**, select **Manage labels**. - 5. On the existing label that you want to apply to multiple endpoints, select Bulk apply. + 5. On the existing label that you want to apply to multiple endpoints, select **Bulk apply**. 6. Choose the endpoints that you want to label by selecting its checkbox. 7. Select **Apply label**. diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx index a05a6705d15a264..64e751ffbc9db63 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx @@ -93,7 +93,7 @@ There are two ways to add API endpoints from Discovery. 1. Add a schema by [configuring Schema validation](/api-shield/security/schema-validation/). 2. On **Review schema endpoints**, save new endpoints to endpoint management by checking the box. - 3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the Schema is saved as a draft or published. + 3. Select **Save as draft** or **Save and Deploy**. Endpoints will be saved regardless of whether the schema is saved as a draft or published. diff --git a/src/content/docs/api-shield/security/jwt-validation/index.mdx b/src/content/docs/api-shield/security/jwt-validation/index.mdx index d1aa751773728ba..7c92dda2e7fa3d7 100644 --- a/src/content/docs/api-shield/security/jwt-validation/index.mdx +++ b/src/content/docs/api-shield/security/jwt-validation/index.mdx @@ -56,8 +56,7 @@ To automatically keep your JWKS up to date when your identity provider refreshes 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** > **API Shield** > **API Rules**. - 3. - Add a name for your rule. + 3. Add a name for your rule. 4. Select a hostname to protect requests with saved endpoints using the rule. 5. Deselect any endpoints that you want JWT validation to ignore (for example, an endpoint used to generate a JWT). 6. Select the token validation configuration that corresponds to the incoming requests. @@ -73,8 +72,7 @@ To automatically keep your JWKS up to date when your identity provider refreshes 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** > **Security rules**. 3. On API JWT validation rules, select **Create rule**. - 4. - Add a name for your rule. + 4. Add a name for your rule. 5. Select a hostname to protect requests with saved endpoints using the rule. 6. Deselect any endpoints that you want JWT validation to ignore (for example, an endpoint used to generate a JWT). 7. Select the token validation configuration that corresponds to the incoming requests.