After attacks against API servers have constantly risen over the past few years, Cloudflare has launched today a new security tool to secure these systems against automated exploitation attempts.
Named the Cloudflare API Shield, this new service will be available for free for all Cloudflare account holders, regardless of pricing plan.
APIs, or Application Programming Interfaces, are exactly what their name says they are — interfaces between different applications. The work by receiving instructions or queries from a "client" and performing a pre-defined action.
APIs are used in a wide variety of ways. They can be embedded inside self-standing apps and allow components to talk to each other, or they can be web-based systems that allow remote "clients" (apps, devices, servers, users) to connect to the API server and relay queries or commands and receive data.
These web-based systems are particularly exposed to attacks, as they always sit online, open to queries from anyone.
According to industry reports, attacks on web-based API endpoints have grown in number and volume in recent years, and are expected to rise as more companies move to the cloud, where APIs are the glue that holds most companies' infrastructure together.
The Cloudflare API Shield was built for these systems —the web-based APIs— that are exposed online all the time and susceptible to attacks such as automated login attempts, command injections, user data enumeration, and more.
Cloudflare's new API Shield works by using a "deny-all" security policy, which the company calls "positive security."
Once configured for an API server, the API Shield will deny all incoming connections if they don't provide a cryptographic certificate and key that the API owner has generated in the API Shield dashboard and installed on all approved client devices, may them be mobile apps, IoT devices, web servers, or others.
Working with encryption and certificates sounds complicated, but Cloudflare says this is why it created API Shield in the first place, as a place to automate all these operations as part of a web dashboard.
"We'll initially support [API] JSON traffic and, based on customer feedback, we will consider extending schema protection to binary protocols, such as gRPC," Cloudflare said in a press release today.
"Once we are sure that requests reaching customer's origin comply with the designed schema, we will start including additional security functionalities."
Planned features include rate limiting, DDoS protection, web application rules specifically designed for APIs, and API analytics.