Cloudflare seeks to secure API endpoints that are vulnerable to security breaches with its new API Shield feature. Cloudflare developed the tool in response to the dual explosions of API calls from mobile apps and the proliferation of internet of things (IoT) devices. The API Shield will drop uncertified or unexpected API requests in an attempt to protect these devices from criminals who may use them to steal data or infiltrate systems.
By checking requests for credentials and matching requests to a pre-set schema of expected behaviors, API Shield moves endpoint protection from a negative security model to a positive one. Instead of only blocking requests from problematic IP addresses, for example, the tool only allows valid requests from known and certified entities.
Implementing a positive security model for APIs is the most direct way to eliminate the noise of credential stuffing attacks and other automated scanning tools.Patrick R. Donahue and Daniele Molteni, Introducing API Shield
How API Shield works
API Shield will use a double layer of protection to keep API endpoints safe. It will first require a security certificate of the requester, and then it will check the request matches expected actions for the endpoint.
Owners with access to the closed beta can set up their schema of expected JSON actions for each endpoint within the API Shield tool.
API Shield does require some coding investment to set up: developers will need to set up the rule in Cloudflare and embed the certificate on the device or mobile app. Cloudflare provided a full demonstration with sample code in their announcement.
Blocking crimes of opportunity
Criminals who have the time and motivation can exploit endpoints that are left open. These crimes often happen to small and medium-sized businesses that may believe that their data is too small or insignificant to steal. By offering a free tool for security, Cloudflare is boosting the overall security of the internet and connected devices.