Skip to content

[API Shield] update BOLA availability #26375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 7, 2025
Merged

[API Shield] update BOLA availability #26375

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e7f18cc
update bola availability
patriciasantaana Nov 7, 2025
ed9d768
update feature availability language
patriciasantaana Nov 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 3 additions & 9 deletions src/content/docs/api-shield/security/bola-vulnerability-detection.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ pcx_content_type: concept

title: Broken Object Level Authorization vulnerability detection
sidebar:
badge:
text: Beta
order: 10
label: BOLA vulnerability detection
---
Expand Down Expand Up @@ -63,7 +61,7 @@ API Shield searches for and highlights BOLA attacks on your APIs. Cloudflare lea

If you see one of these labels on your API endpoints, check its authorization policy with your developer team to find any authorization bugs. Additionally, you can reach out to Cloudflare for a customized report about the behavior, including attacker identifiers that you can use to confirm attack reach and impact.

BOLA attack information can be found in your [Security Overview](#security-overview) and [Endpoint details](#endpoint-details). Closed beta customers can find BOLA attack information in [Security Analytics](#security-analytics) as well.
BOLA attack information can be found in your [Security Overview](#security-overview), [Security Analytics](#security-analytics), and [Endpoint details](#endpoint-details).

### Security Overview

Expand Down Expand Up @@ -98,10 +96,6 @@ Review the top statistics and details of managed API endpoints, paths and values

Cloudflare recommends that you observe your traffic profile for any anomalies in its normal behavior.

:::note[Availability]
BOLA attacks in Security Analytics is currently available in closed beta.
:::

### Endpoint details

You can expand the endpoint details in Web Assets to access information on suspicious sessions' activity on the endpoint, including both enumeration attack and parameter pollution attack details.
Expand All @@ -120,7 +114,7 @@ The details specify the parameter that was affected, the number of sessions invo

If unauthorized access to the parameter was obtained, consider the potential impact to your application, users, and data. As a best practice, consult with your application and API developers to confirm unauthorized access by reviewing your API origin logs for the IP address and JA4 fingerprint of the abusive sessions.

Closed beta customers can view attack data in [Security Analytics](#security-analytics).
You can view attack data in [Security Analytics](#security-analytics).

<DashButton url="/?to=/:account/:zone/security/analytics" />

Expand All @@ -130,4 +124,4 @@ The managed endpoint will be automatically filtered in the request activity from

## Availability

Details of BOLA attacks visible in Security Analytics are only available for customers in the closed beta.
Broken Object Level Authorization vulnerability detection is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team.