Cloudflare has announced the release of Cloudflare API Shield. This new product, which is free to all account holders regardless of their pricing plan, is intended to simplify API security via mutual TLS authentication, API schema validation, and a positive security model.
Cloudflare noted research by Gartner which projects that by 2022 API abuses will become the most frequent attack vector that results in enterprise web application breaches. In light of this, the company has decided to release Cloudflare API Shield, a new API security product that implements a positive security model that Cloudflare hopes will reduce API vulnerabilities.
This security model is one that begins with a block everything mindset and then builds outward allowing known behaviors and identities while rejecting everything else. The company believes that this strategy, in contrast with a negative model that by default allows everything except known problematic requests, is especially powerful for APIs given the myriad ways that this technology can be threatened.
At launch, Cloudflare is highlighting two major features crucial to implementing this security model. The first is deploying strong authentication via mutual TLS authentication. This is intended to remove the possibility of password sharing and reuse. Beyond this API Shield will rely upon API schema validation to establish the sort of known behaviors that positive security is powered by. This would mean that strict API schema validation is implemented to ensure that requests fall in line with very specific standards. This sort of validation is in beta for JSON right now, with Cloudflare promising support for gRPC in the near future.
The product roadmap goes beyond gRPC support with Cloudflare working toward a web application firewall, rate limiting, and DDoS protection specifically designed for non-HTML traffic.