Wow ! @Cloudflare introduces API Shield to protect your APIs
blog.cloudflare.com/introducing-ap…
How does it do ?
By adding mTLS for the API endpoints and enforcing schema validation in JSON / gRPC payloads in API POST requests
Will it really secure / help secure APIs ?
[thread] 1/n
blog.cloudflare.com/introducing-ap…
How does it do ?
By adding mTLS for the API endpoints and enforcing schema validation in JSON / gRPC payloads in API POST requests
Will it really secure / help secure APIs ?
[thread] 1/n
Reading the article, Cloudflare claims to "secure" your APIs with the help of mTLS.
To simply put, mTLS is when both entities (server and client) validate each other's SSL cert and make sure its signed by common trusted Root / Intermediate CA.
2/n
To simply put, mTLS is when both entities (server and client) validate each other's SSL cert and make sure its signed by common trusted Root / Intermediate CA.
2/n
mTLS requires your own PKI and things get tricky when you want to revoke a issued cert, manage access to root CA, etc. But in this case Cloudflare manages for you.
3/n
3/n
How can mTLS help ?
It can prevent DoS / DDoS to your application to some extent. It can be used to authenticate but have not really seen it at scale.
4/n
It can prevent DoS / DDoS to your application to some extent. It can be used to authenticate but have not really seen it at scale.
4/n
Cloudflare describes schema validation for JSON (beta) and gRPC (in roadmap).
This delegates the responsibility of checking the schema of the POST body to Cloudflare. Also Cloudflare with its WAF technology, "might" (in my opinion) sanitise / reject known malicious payload.
5/n
This delegates the responsibility of checking the schema of the POST body to Cloudflare. Also Cloudflare with its WAF technology, "might" (in my opinion) sanitise / reject known malicious payload.
5/n
What this feature doesn't do ?
- 100% API security
- Logical bugs and misconfigurations
- Other API bugs due to requests with post body in different encoding
6/n
- 100% API security
- Logical bugs and misconfigurations
- Other API bugs due to requests with post body in different encoding
6/n
For devs, using this feature adds a layer of dependency to your app (PKI going down/compromised).
The mTLS part restricts folks who blindly DoS/fuzz the API endpoints. But once they get the mTLS cert & private key (using say mobile app reverse engineering), nothing stops them.
The mTLS part restricts folks who blindly DoS/fuzz the API endpoints. But once they get the mTLS cert & private key (using say mobile app reverse engineering), nothing stops them.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
