Security: API Shield, WAF & Bot Protection
Cloudflare provides security by default — automatic DDoS protection, WAF rules, and rate limiting. Use the Python SDK to programmatically manage your security posture.
API Shield: Protect Your APIs
API Shield validates requests against your OpenAPI schema, automatically blocking malformed or unexpected requests before they reach your code.
from cloudflare import Cloudflare
from typing import Dict, List
import yaml
client = Cloudflare()
class APIProtection:
"""API protection using Cloudflare API Shield"""
def __init__(self, client: Cloudflare, zone_id: str):
self.client = client
self.zone_id = zone_id
def upload_openapi_schema(self, schema_path: str):
"""Upload OpenAPI schema for automatic validation"""
with open(schema_path, 'r') as f:
schema = yaml.safe_load(f)
result = self.client.api_gateway.schemas.create(
zone_id=self.zone_id,
file=schema_path,
kind="openapi_v3",
)
return result.schema_idRate Limiting
Set up rate limiting rules to protect endpoints from abuse:
def create_rate_limit(self, endpoint: str, requests_per_minute: int):
"""Create rate limiting rule"""
rule = self.client.rate_limits.create(
zone_id=self.zone_id,
action="block",
match={
"request": {
"url_pattern": f"*{endpoint}*",
"methods": ["GET", "POST", "PUT", "DELETE"],
}
},
threshold=requests_per_minute,
period=60, # 1 minute
description=f"Rate limit for {endpoint}",
)
return rule.id
# Usage
api_shield = APIProtection(client, "your-zone-id")
# Set up rate limiting per endpoint
api_shield.create_rate_limit("/api/v1/users", requests_per_minute=100)
api_shield.create_rate_limit("/api/v1/auth/login", requests_per_minute=10)Bot Protection
def enable_bot_protection(self, sensitivity: str = "high"):
"""Enable bot protection"""
self.client.bot_management.update(
zone_id=self.zone_id,
enable_js_detection=True,
fight_mode=True,
sensitivity=sensitivity,
)
# Enable bot protection
api_shield.enable_bot_protection(sensitivity="high")WAF Rules
Create custom WAF rules to block common attack patterns:
def create_waf_rules(self, rules: List[Dict]):
"""Create WAF rules for common attacks"""
for rule in rules:
self.client.firewall.rules.create(
zone_id=self.zone_id,
filter={
"expression": rule["expression"],
},
action=rule.get("action", "block"),
description=rule.get("description", ""),
)
# Define WAF rules
waf_rules = [
{
"expression": '(http.request.uri.path contains "../") or (http.request.uri.path contains "..\\")',
"action": "block",
"description": "Block path traversal attempts",
},
{
"expression": '(http.request.uri.query contains "<script") or (http.request.body.raw contains "<script")',
"action": "challenge",
"description": "Challenge potential XSS",
},
]
api_shield.create_waf_rules(waf_rules)Security Analytics
def get_security_analytics(self, start_time: str, end_time: str):
"""Get security analytics"""
analytics = self.client.zones.analytics.colos.get(
zone_id=self.zone_id,
since=start_time,
until=end_time,
)
return {
"total_requests": analytics.totals.requests,
"threats_blocked": analytics.totals.threats,
"bot_requests": analytics.totals.pageviews.bot,
"human_requests": analytics.totals.pageviews.human,
}
# Monitor security
stats = api_shield.get_security_analytics(
"2024-01-01T00:00:00Z",
"2024-01-31T23:59:59Z"
)
print(f"Threats blocked this month: {stats['threats_blocked']}")Complete Example
Here's a full security setup combining all the pieces:
from cloudflare import Cloudflare
client = Cloudflare()
api_shield = APIProtection(client, "your-zone-id")
# 1. Upload your API schema for automatic validation
schema_id = api_shield.upload_openapi_schema("openapi.yaml")
# 2. Set up rate limiting
api_shield.create_rate_limit("/api/v1/users", requests_per_minute=100)
api_shield.create_rate_limit("/api/v1/auth/login", requests_per_minute=10)
# 3. Enable bot protection
api_shield.enable_bot_protection(sensitivity="high")
# 4. Create WAF rules
api_shield.create_waf_rules(waf_rules)
# 5. Monitor
stats = api_shield.get_security_analytics(
"2024-01-01T00:00:00Z",
"2024-01-31T23:59:59Z"
)
print(f"Threats blocked: {stats['threats_blocked']}")Migration Reference
| You're Using | Replace With | Why Switch |
|---|---|---|
| Kong / Traefik | API Shield | Built-in rate limiting, schema validation |
| OAuth2 / JWT libraries | Zero Trust | Managed authentication, no token management |
| Flask-Limiter | Rate Limiting | Edge-based, DDoS protection included |