5.7 KiB
5.7 KiB
Patterns & Use Cases
Protect API with Schema + JWT
# 1. Upload OpenAPI schema
POST /zones/{zone_id}/api_gateway/user_schemas
# 2. Configure JWT validation
POST /zones/{zone_id}/api_gateway/token_validation
{
"name": "Auth0",
"location": {"header": "Authorization"},
"jwks": "{...}"
}
# 3. Create JWT rule
POST /zones/{zone_id}/api_gateway/jwt_validation_rules
# 4. Set schema validation action
PUT /zones/{zone_id}/api_gateway/settings/schema_validation
{"validation_default_mitigation_action": "block"}
Progressive Rollout
1. Log mode: Observe false positives
- Schema: Action = Log
- JWT: Action = Log
2. Block subset: Protect critical endpoints
- Change specific endpoint actions to Block
- Monitor firewall events
3. Full enforcement: Block all violations
- Change default action to Block
- Handle fallthrough with custom rule
BOLA Detection
Enumeration Detection
Detects sequential resource access (e.g., /users/1, /users/2, /users/3).
// Block BOLA enumeration attempts
(cf.api_gateway.cf-risk-bola-enumeration and http.host eq "api.example.com")
// Action: Block or Challenge
Parameter Pollution
Detects duplicate/excessive parameters in requests.
// Block parameter pollution
(cf.api_gateway.cf-risk-bola-pollution and http.host eq "api.example.com")
// Action: Block
Combined BOLA Protection
// Comprehensive BOLA rule
(cf.api_gateway.cf-risk-bola-enumeration or cf.api_gateway.cf-risk-bola-pollution)
and http.host eq "api.example.com"
// Action: Block
Authentication Posture
Detect Missing Auth
// Log endpoints lacking authentication
(cf.api_gateway.cf-risk-missing-auth and http.host eq "api.example.com")
// Action: Log (for audit)
Detect Mixed Auth
// Alert on inconsistent auth patterns
(cf.api_gateway.cf-risk-mixed-auth and http.host eq "api.example.com")
// Action: Log (review required)
Fallthrough Detection (Shadow APIs)
// WAF Custom Rule
(cf.api_gateway.fallthrough_triggered and http.host eq "api.example.com")
// Action: Log (discover unknown) or Block (strict)
Rate Limiting by User
// Rate Limiting Rule (modern syntax)
(http.host eq "api.example.com" and
is_jwt_valid(http.request.jwt.payload["{config_id}"][0]))
// Rate: 100 req/60s
// Counting expression: lookup_json_string(http.request.jwt.payload["{config_id}"][0], "sub")
Volumetric Abuse Response
// Detect abnormal traffic spikes
(cf.api_gateway.volumetric_abuse_detected and http.host eq "api.example.com")
// Action: Challenge or Rate Limit
// Combined with rate limiting
(cf.api_gateway.volumetric_abuse_detected or
cf.threat_score gt 50) and http.host eq "api.example.com"
// Action: JS Challenge
GraphQL Protection
// Block oversized queries
(http.request.uri.path eq "/graphql" and
cf.api_gateway.graphql_query_size gt 100000)
// Action: Block
// Block deep nested queries
(http.request.uri.path eq "/graphql" and
cf.api_gateway.graphql_query_depth gt 10)
// Action: Block
Architecture Patterns
Public API: Discovery + Schema Validation 2.0 + JWT + Rate Limiting + Bot Management
Partner API: mTLS + Schema Validation + Sequence Mitigation
Internal API: Discovery + Schema Learning + Auth Posture
OWASP API Security Top 10 Mapping (2026)
| OWASP Issue | API Shield Solutions |
|---|---|
| API1:2023 Broken Object Level Authorization | BOLA Detection (enumeration + pollution), Sequence mitigation, Schema, JWT, Rate Limiting |
| API2:2023 Broken Authentication | Auth Posture, mTLS, JWT validation, Bot Management |
| API3:2023 Broken Object Property Auth | Schema validation, JWT validation |
| API4:2023 Unrestricted Resource Access | Rate Limiting, Volumetric Abuse Detection, GraphQL Protection, Bot Management |
| API5:2023 Broken Function Level Auth | Schema validation, JWT validation, Auth Posture |
| API6:2023 Unrestricted Business Flows | Sequence mitigation, Bot Management |
| API7:2023 SSRF | Schema validation, WAF managed rules |
| API8:2023 Security Misconfiguration | Schema Validation 2.0, Auth Posture, WAF rules |
| API9:2023 Improper Inventory Management | API Discovery, Schema learning, Auth Posture |
| API10:2023 Unsafe API Consumption | JWT validation, Schema validation, WAF managed |
Monitoring
Security Events: Security > Events → Filter: Action = block, Service = API Shield
Firewall Analytics: Analytics > Security → Filter by cf.api_gateway.* fields
Logpush fields: APIGatewayAuthIDPresent, APIGatewayRequestViolatesSchema, APIGatewayFallthroughDetected, JWTValidationResult
Availability (2026)
| Feature | Availability | Notes |
|---|---|---|
| mTLS (CF-managed CA) | All plans | Self-service |
| Endpoint Management | All plans | Limited operations |
| Schema Validation 2.0 | All plans | Limited operations |
| API Discovery | Enterprise | 10K+ ops |
| JWT Validation | Enterprise add-on | Full validation |
| BOLA Detection | Enterprise add-on | Requires session IDs |
| Auth Posture | Enterprise add-on | Security audit |
| Volumetric Abuse Detection | Enterprise add-on | Traffic analysis |
| GraphQL Protection | Enterprise add-on | Query limits |
| Sequence Mitigation | Enterprise (beta) | Contact team |
| Full Suite | Enterprise add-on | All features |
Enterprise limits: 10K operations (contact for higher). Preview access available for non-contract evaluation.
See Also
- configuration.md - Setup all features before creating rules
- api.md - Firewall field reference and API endpoints
- gotchas.md - Common issues and limits