API servers have experienced constant attacks over the last few years. Seeing which Cloudflare has launched a new security tool to safeguard and secure these systems against automated exploitation attempts.
The official name of the tool is Cloudflare API Shield. It will be free for all the Cloudflare account holders, whereas new members will have to take the pricing plan. API are interfaces between different applications. The action is performed once they receive instructions from the client and if there is a pre-defined action set in the line.
These APIs can be used in a variety of ways. They can be embedded inside the apps while allowing the components to talk to each other. They can also act as web-based systems allowing remote “clients” (apps, devices, servers, users) to connect to API servers and receive data as well. These web-based systems especially are exposed to attacks because they stay online to handle the online queries coming to them.
“API Schema validation works by matching the contents of API requests—the query parameters that come after the URL and contents of the POST body—against a contract or “schema” that contains the rules for what is expected. If validation fails, the API call is blocked protecting the origin from an invalid request or a malicious payload,” mentioned in the Cloudflare blog.
Since attacks have grown and are also expected to rise, the API works to handle the discrepancies. It is the glue that holds most companies’ infrastructure. Cloudflare API Shield was built for these systems – the web-based APIs – as they are exposed online and prone to attacks such as automated login attempts, user data enumeration, and more.
Working of Cloudflare API Shield
It works on the concept of “deny-all” wherein it will deny all the incoming connections if they do not receive a cryptographic certificate and key generated by the API owner. This key is visible on API shield dashboards, installed on approved client devices such as mobile apps, web servers, and others.
“We’ll initially support [API] JSON traffic and, based on customer feedback, we will consider extending schema protection to binary protocols, such as gRPC,” said Cloudflare.
“Once we are sure that requests reaching customer’s origin comply with the designed schema, we will start including additional security functionalities.”
In the future, Cloudflare pledges to consider users’ feedback on schema validation. It is currently in the beta version, but it will consider the suggestions and then roll out to all users in the future.