Cloudflare API Shield Demo — Cheat Sheet

~20–25 min · Real demo API · Live attack & block · Built on Workers

Pre-demo setup checklist

1. Open — Why API Shield (~2 min)

"Every company today is an API company, whether they realize it or not. Mobile apps talk to APIs. SaaS integrations talk to APIs. Microservices talk to APIs. And here's the problem — most security tools were designed for browsers and humans, not machines."

"Traditional WAFs catch SQL injection in a query string. They don't catch a script enumerating /users/1, /users/2, /users/3 a thousand times a second. They don't catch a malformed JSON body that crashes your microservice. They don't know which endpoints you even have."

"API Shield is the layer specifically built for that traffic. Schema validation, rate limiting per endpoint, sequence analytics, automatic discovery, mTLS, JWT validation — all in one product, all at Cloudflare's edge."

"I'm going to show you a real API I built — intentionally vulnerable — and we'll watch Cloudflare catch four different attack patterns in real time."

The OWASP API Top 10 problem

  1. BOLA (Broken Object Level Auth) — enumerate /users/1, /users/2…
  2. Broken Authentication — credential stuffing on /login
  3. Excessive Data Exposure — endpoints returning more than the UI needs
  4. Lack of Rate Limiting — scrape every product, every order
  5. Mass Assignment — extra JSON fields the backend trusts
  6. Improper Inventory — shadow APIs nobody knows exist
API Shield touches all six.

2. API Discovery — "What APIs do we even have?" (~3 min)

▶ Dashboard: Security → API Shield → Discovery

"This is usually where the conversation starts. Most security teams cannot list every API endpoint their company exposes. Developers ship new endpoints weekly. Old ones never get decommissioned. There's no central inventory."

"Cloudflare watches every request flowing through and automatically catalogs your APIs. Method, path, host, request volume, average response size — all discovered from real traffic. No agents, no scanners, no developer involvement."

What to point at:

"This solves a problem that other tools just don't touch: 'You can't protect what you don't know exists.' Step one of API security is always inventory."

3. Schema Validation — Block Malformed Requests (~5 min)

"Now that we know what endpoints exist, let's protect them. The first weapon: schema validation. We tell Cloudflare exactly what shape each request should be. Anything different — blocked before it reaches the app."

SETUP — Upload the OpenAPI schema

▶ Dashboard: Security → API Shield → Schema validation → Add validation

▶ Upload demo-api-openapi.json from this folder

▶ Action: Block (or Log if you want to show analytics first)

"The schema defines: which endpoints exist, what HTTP methods, what request body structure, what query parameters, what data types, what min/max values. Anything that doesn't match — Cloudflare rejects at the edge."

TEST 1 — Valid login request → 200

curl -s -w "\nStatus: %{http_code}\n" \
  -X POST https://api.tarheel.us/login \
  -H "Content-Type: application/json" \
  -d '{"username":"demo","password":"hunter2"}'
"200 OK. Valid JSON, both required fields present, both within length limits. Cloudflare lets it through to the API."

TEST 2 — Missing required field → 403 blocked by schema

curl -s -w "\nStatus: %{http_code}\n" \
  -X POST https://api.tarheel.us/login \
  -H "Content-Type: application/json" \
  -d '{"username":"demo"}'
"Password missing. The Worker would have returned 400 — but it never even saw the request. Cloudflare returned 403 at the edge. The malformed request never reached your backend. That's CPU you didn't burn, that's a log line you didn't have to write, that's an exception you didn't have to handle."

TEST 3 — Extra field (mass assignment attempt) → 403

curl -s -w "\nStatus: %{http_code}\n" \
  -X POST https://api.tarheel.us/login \
  -H "Content-Type: application/json" \
  -d '{"username":"demo","password":"hunter2","role":"admin"}'
"Classic mass-assignment attack. Attacker hopes the backend will trust the extra role field. Cloudflare's schema says additionalProperties: false — no extras allowed. Blocked before it reaches the app."

"This is huge. Mass assignment is OWASP API #6, and most teams find out about it only after a breach. With API Shield it's prevented by a schema rule."

TEST 4 — Wrong data type → 403

curl -s -w "\nStatus: %{http_code}\n" \
  -X POST https://api.tarheel.us/orders \
  -H "Content-Type: application/json" \
  -d '{"product_id":"DROP TABLE products;--","quantity":1}'
"product_id is supposed to be an integer. The attacker sent a SQL injection string. Schema validation rejects it at the edge — the SQLi payload never reaches the application, much less the database."

4. Per-Endpoint Rate Limiting (~4 min)

▶ Dashboard: Security → API Shield → Rate Limiting

"Now the second weapon: rate limiting. Not the dumb 'one limit fits all' kind — different limits per endpoint based on what that endpoint actually does."

Recommended demo rules:

"The /login limit is the killer one. Five attempts per minute per IP. Credential stuffing dies."

TEST 5 — Credential stuffing attack → 429 after 5 tries

for i in {1..10}; do
  echo -n "Attempt $i: "
  curl -s -o /dev/null -w "%{http_code}\n" \
    -X POST https://api.tarheel.us/login \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"victim\",\"password\":\"guess$i\"}"
done
"First five attempts → 401 (wrong password). Sixth onward → 429 Too Many Requests. Cloudflare stopped the brute force at the edge."

"Compare that to without rate limiting — every one of those attempts hits your auth service, every one consumes CPU, every one shows up in your logs, and the attacker can run thousands per second."

TEST 6 — BOLA enumeration → 429 after 20 tries

for i in {1..30}; do
  echo -n "User $i: "
  curl -s -o /dev/null -w "%{http_code}\n" \
    https://api.tarheel.us/users/$i
done
"Twenty requests get through, then 429. Attacker can't enumerate every user ID. BOLA — OWASP API #1 — mitigated."

5. Sequence Analytics — Behavioral Patterns (~3 min)

▶ Dashboard: Security → API Shield → Sequence Analytics

"Sometimes attacks aren't about one bad request — they're about an unusual sequence. Legitimate users follow patterns: log in, browse, add to cart, checkout. Attackers follow different patterns: scrape products in random order, hit checkout 100 times in 30 seconds, request the same user ID from 50 different sessions."

"Cloudflare learns the normal sequence patterns for your API automatically. When something deviates, you see it here — even if no single request looks bad in isolation."

What to point at:

"This is the part that's hard to do anywhere else. Most API security tools look at requests in isolation. Cloudflare looks at the flow. That's a different category of detection."

6. Auth Enforcement — mTLS & JWT Validation (~3 min)

▶ Dashboard: Security → API Shield → mTLS · JWT validation

"Two more weapons in API Shield, even if we don't demo them live:"

mTLS — Mutual TLS

"For B2B APIs, partner integrations, IoT devices — anywhere you can issue certificates instead of bearer tokens. Cloudflare runs a managed CA, issues certs to your clients, and rejects any request that doesn't present a valid one. This is the gold standard for API auth — bearer tokens can be stolen, certificates can't be replayed."

JWT Validation

"For consumer APIs, Cloudflare can validate the JWT at the edge — signature, expiry, issuer, audience, custom claims. Invalid token? Rejected at the edge, never reaches the app."

"What this means: your application code doesn't need to validate tokens anymore. Cloudflare guarantees every request that reaches you has already been authenticated. One less thing your app has to get right."

7. The Dashboard Story — Everything In One View (~2 min)

▶ Dashboard: Security → API Shield → Overview

"Pull up the Overview page. Everything we just demoed shows up here aggregated."

What to point at:

"For an executive audience, this is the slide. One number: how many API attacks were blocked at the edge this week. One number: how many endpoints exist that we didn't know about. One number: how many requests bypassed schema validation. That's the story."
THE ARCHITECTURAL POINT

Discovery — you can't protect what you don't know exists
Schema validation — malformed requests die at the edge
Per-endpoint rate limiting — credential stuffing & BOLA mitigated
Sequence analytics — behavioral patterns no single-request tool catches
mTLS + JWT validation — auth enforced before your app sees the request

"All of this runs at the same edge as your WAF, your DDoS protection, your bot management. One platform. One policy language. One place to look when something goes wrong."

Demo API Reference

Worker source: ./worker/src/index.js · Deployed at https://demo-api.dustinburke23nc.workers.dev

MethodPathPurpose
POST/loginCredential stuffing target
GET/users/:idBOLA enumeration target
GET/productsScraping target
POST/ordersSchema validation target
GET/admin/all-usersAuth-required (Bearer token)
GET/healthPublic healthcheck

Q&A — back-pocket answers

Do I need an OpenAPI spec to use this?

Helps for schema validation, but no — API Discovery can build the inventory from observed traffic. You can demo rate limiting, sequence analytics, mTLS, and JWT validation without ever uploading a schema.

How is this different from a WAF?

WAFs catch payload-level attacks (SQLi, XSS) inside HTTP requests. API Shield protects the shape and behavior of API traffic — schema, sequence, rate, auth. Both run in the same Cloudflare engine; they complement each other.

GraphQL support?

Yes — schema validation, query depth limits, rate limiting per operation. Configure via the same Schema validation flow but upload a GraphQL schema instead of OpenAPI.

gRPC?

Supported. Cloudflare can proxy and protect gRPC services with the same controls (rate limiting, mTLS, etc.).

mTLS at scale — how does it work?

Cloudflare runs a managed CA. You issue certificates to clients (mobile devices, partners, IoT) via API. Cloudflare validates the cert on every request. No cert? Rejected at the edge.

What about API keys / bearer tokens that aren't JWTs?

Use WAF Custom Rules to check for the presence and format of the token header, plus rate limiting per token value as the rate-limit key. For real JWT validation, use the JWT Validation feature.

How does this interact with our existing API gateway (Kong, Apigee, etc.)?

Cloudflare sits in front of your API gateway as the first line of defense — DDoS, bot, schema, rate limit, JWT. The gateway handles business logic: routing, transformation, developer portal. Many customers run both.

Sequence Analytics — how does it learn what's normal?

Cloudflare observes real traffic over time and builds a model of common sequences. The longer it runs, the better the model. Anomalies surface in the dashboard with a confidence score; you decide whether to alert or block.

Pricing?

API Shield is an Enterprise add-on, priced by API request volume. Some features (basic rate limiting, basic WAF for APIs) are available on lower plans. Get specifics from your account team.

How quickly can we deploy?

If your API is already behind Cloudflare — minutes. Discovery starts immediately. Schema validation and rate limiting are dashboard-only configurations. mTLS deployment depends on your client distribution model, usually days to weeks.

What if Cloudflare blocks a legitimate request?

Schema validation can be set to Log mode first — observe what would be blocked without actually blocking. Same with rate limiting. Tune in log mode, then flip to block.

Why Cloudflare over Salt / Noname / 42Crunch / Traceable?
  1. Same edge as everything else — no separate inline component, no traffic mirroring
  2. Network advantage — Cloudflare sees ~20% of internet traffic, including API patterns no point-product can
  3. One policy language — combine API rules with WAF, bot score, identity, rate limit
  4. No agents, no SDKs, no traffic re-routing — if you're on Cloudflare, you have it
  5. Built-in mTLS managed CA — most competitors require external PKI