Cloudflare Introduces API Shield
Cloudflare has recently introduced API Shield, a free security tool that protects API traffic against attacks designed to perform unauthorized actions or exfiltrate data. Strong client certificate-based identity is already generally available while schema validation is currently a closed beta.
With the deployment and enforcement of mTLS authentication, Cloudflare API Shield secures the APIs using client-certificate-based encryption. The provider of Content Distribution Network (CDN) and DDoS mitigation services claims that 50% of the 18 million requests per second that traverse its network are directed towards APIs, with the majority blocked as malicious. The new service allows requests from known and certified entities instead of only blocking the ones from specific IPs, countries or requests with problematic signatures. Discussing the benefits of positive security models, Patrick Donahue, director of product management at Cloudflare, and Daniele Molteni, product manager at Cloudflare, explain:
Implementing a positive security model for APIs is the most direct way to eliminate the noise of credential stuffing attacks and other automated scanning tools. And the first step towards a positive model is deploying strong authentication such as mutual TLS authentication, which is not vulnerable to the reuse or sharing of passwords.
To protect an application with API Shield, a developer has to enable mTLS for the hosts to be protected, create a client certificate in the Cloudflare dashboard using Cloudflare’s public key infrastructure, configure the client to use the new certificate and create Cloudflare firewall rules that require API requests to present a valid client certificate.
On top of allowing only legitimate clients, API Shield can verify if the API is being called as intended using API Schema validation, a service that matches the query parameters and the POST body against a schema with the expected rules. Schema validation is available in closed beta for JSON payloads only.
Chandrapal Badshah, security researcher and founder of Hack with Github, highlights the benefits but as well some of the limitations of a shield to protect an API endpoint:
How can mTLS help? It can prevent DoS / DDoS to your application to some extent (…) What this feature doesn’t do? 100% API security, logical bugs and misconfigurations and other API bugs due to requests with post body in different encoding. For developers, using this feature adds a layer of dependency to your app (PKI going down/compromised).
API Shield currently requires Cloudflare-issued certificates, it is free and available to all account holders. Cloudfront plans to allow customers to use their own PKI and import their own CAs in the future but there is no firm date yet.