Transcript for "Cloudflare API Security Demo": Cloudflare's connectivity cloud puts you back in control, making your world infinitely more productive and secure. Hello, everyone. Thank you so much for being here today for this session. My name is Afonso, and I work as a virtual solution engineer at Cloudflare. And today, this session will be about Cloudflare and our API security capabilities. So today, we'll talk about how Cloudflare can be your best ally on discovering, managing, and protecting all your API endpoints. And the most important of it all is that this is a practice centered session, meaning we will go through the dashboard and show all the major API security features live, which will be amazing. So today we're talking about APIs and why they're exploding in growth. First of all, an API is a way for different apps to talk to each other and share data. And at this point, they have been around for years, but recently they've skyrocketed in use. And why? Because APIs let companies build applications faster by integrating with already existing services and databases and therefore not needing to do everything on their own. According to Postman twenty twenty four state of the API reports, the top 10 countries by requests created generated approximately 1,100,000,000 requests last year, a 38% increase over the previous year. This is mainly thanks to areas such as cloud computing, mobile applications, and the rise of microservices, all of which thrive on APIs. Additionally, they're not just tech tools anymore. APIs are driving businesses by allowing quick and flexible integrations and as the demand for automation, data sharing, and third party connections keeps growing, so will APIs. However, the fast pace in API growth also comes with some challenges and one of them is shadow APIs. These are APIs that exist but aren't officially tracked or monitored by an organization. They can pose serious security risks because no one's keeping an eye on them. Next, we also have malicious use of APIs. With so many APIs out there, attackers are targeting them more than ever by exploiting vulnerabilities, abuse rate limits, and even scrape sensitive data. And finally, lack of consolidated management as companies are deploying tons of APIs, but there's no single unified way to monitor and manage them. This leads to blind spots, security gaps, and missed opportunities to optimize performance. And all of these mentioned points lead us to the conclusion that unmanaged APIs leave organizations exposed. And according to the 2024 state of the application security report made by Cloudflare, fifty eight percent of Cloudflare HTTP traffic is API related, 33% of API endpoints are unknown to security teams, and the top API threats mitigated by Cloudflare are HTTP anomalies, injection attacks, file inclusion, and software specific attacks. In short, more APIs mean more challenges and also mean that we need to find solutions that will keep your API endpoints safe and attackers at bay. And, actually, it is precisely in the middle of this challenging and complex ecosystem that CloudFront jumps in to help. So Cloudflare is a global network spanning across three thirty five cities over more than 125 countries and directly connected to more than 13,000 networks. And we are very, very, very close to our users, reaching 95% of the world's Internet population in less than fifty milliseconds. And to date, we protect millions of websites, mobile applications, remote teams, APIs, etcetera. One of the most amazing facts about our architecture is that when protecting your API endpoints with Qualtr, you are using our entire and unparalleled in Scale Edge network, making Qualtr the go to choice for protecting against global, coordinated, and distributed attacks against your API endpoints, like DDoS, for example. And this is due to the fact that our API gateway service runs inside every server of every data center all over the world. So by using QualFair, you are stopping threats as close as possible to their source. Now going back to our main topic for today, which is API security, as you can see on this slide, we offer a broad range of features starting on the API call from the client to the origin server where we perform our discovery, management, and endpoint protection capabilities, and ending on the API response where we leverage machine learning to look for potential sensitive data signatures and stop personal data theft and leaks. And we will now take a look into how we can configure and leverage some of these features to protect our APIs. And regarding that, to better understand our API security capabilities, let's take a look into a possibly real use case, which is Frame Memory Studio, our demo environment for today. Frame Memory Studio is a global online photography agency that delivers images to millions of worldwide spread users. Let's also assume that Frame Memory Studio is recently facing three main challenges with their websites, endpoint discovery, endpoint management, and visibility on their API requests, statistics and analytics. So we are now, from an admin's perspective, dive into our API Shield product features. With this scenario in mind, let's see how can Clover come into place and help protecting these pages' APIs. I will now share my screen so we can switch to our live demo on the dashboard. So please allow me a moment, and you should be able to see my screen in a moment. So here we are at the Frame Memory Studio main website. As you can see, it's a normal website. We can browse and see images, blog posts, know more about the company here in the about page or even contact your team. And if you go to our API subdomain, which is apis.framememories.net, we have access to basic API methods such as get, post, and so on on multiple endpoints. Let's look, for example, into our frame memories posts by adding, slash posts here and where we can see all the posts that have been done on our website. Now to benefit from our API Shield product, the only requirement is to have your API domain or subdomain onboarding to Qualtr. And with this being said, let's then go straight to the dashboard and see how everything is working behind the scenes. So this is the Qualtr dashboard, and it is here where all the magic happens. To access to the dashboard, we need to go to -.qualfer.com. And if you still don't have an account, it will be asked for you to create one. After the account created, our first step after being in a dashboard is to onboard our domain to Cloudflare. For that, we click on here, add a domain. We write our domain in a text box here and then hit continue. Then by following the instructions provided in the dashboard, we will be onboarded in less than five minutes. In our case, we're not going to complete the onboarding since we already have our zone configured here. So getting back from the onboarding page, and here we are. After our page is onboarded, we'll see that the domain name will appear in the website section as we can see here in this case in the framememories.net domain right here. And to access our API gateway services, we need, inside our domain zone. So first, we need to come here, then we need to go to security, and then after this pops up, we need to come to web assets. Here is where everything happens regarding our Frame Memory Studio API endpoint management. And I'll start the journey by heading into the discovery tab. As you may recall from the previous slides, one of the biggest challenges APIs bring is lack of visibility on a total exposed endpoints, especially if you need to manage and integrate thousands or even more of endpoints in your application. So this challenge is the first one where Qualtr can help us since we make API discovery really easy for IT teams. By proxying all our HTTP traffic and leveraging machine learning models to detect if a specific request is or not an API call, Cloudflare API Shield allows us to come here to the discovery tab and quickly have comprehensive visibility on all the discovered endpoints that are exposed on our frame memory domain. In order to make Cloudflare have an even clearer view on our API traffic, we can configure a session identifier, which can be a header, a cookie, or a combination of both. This can be accomplished by going into settings here inside, the security tab. Then we need to switch here to all settings and we should have the session identifiers here. We can click on Go to Session Identifiers. As you can see, we have a session ID configured, using a header called my API traffic. After seeing this ID, I only need to ensure my API calls for frame memories contain this header and from that moment on, Cloudflare will see all requests with this header as API traffic. Now going back to the discovery view, once the endpoints appear on the discovery tab, we choose whether to save, as you can see here, or ignore the endpoint. And when we choose to save, our endpoint will migrate to the endpoints tab. That is the first one where we end up when we click on web assets. And we're going to move to that tab in a second as well. But just to wrap up this part, this discovery tab ensures to IT and API teams that no endpoints are left unattended due to lack of visibility. So now, yes, as promised, moving to the endpoints tab. As I was telling before, this is where we'll see all our saved endpoints. By clicking on show filters right here, we can see that we can filter our endpoints by method, host name, or label. Additionally, for each endpoints, we can click in one of them and let's click on this get products to expand, and get access to a very comprehensive analytics on the endpoint requests, the error rate, the authentication. So if it's leveraging a session ID, this is the my API traffic header that we have configured previously as you have seen. Also the latency and the average response size. If there is a significant increase in the error rate or average latency, there will be also an alert mentioning it. Now, let's now assume Frame Memory Studio have been struggling with some API abuse from some users getting their publicly available images through the API. With Cloudflare, this can be easily solved by defining a rate limiting rule. A rate limiting rule allows to define a certain threshold for incoming requests during a specific period of time and to apply a specific action to those requests that exceed this threshold, like to log it, block it, or send a challenge to the request. Now rate limiting all exposed endpoints can become a seriously complex challenge for organizations that have hundreds, thousands, or more of endpoints, and this is where Cloudflare can also join to help. By going back to the endpoints tab, here we are. Once our endpoints are in this tab for approximately twenty four hours, Cloudflare machine learning models will identify request patterns and suggest a rate limiting rule for each managed endpoint as we can see here. And better than that is that each suggestion can automatically turn into a rate limiting rule if we want to by clicking on create rule. So let's see for the same, endpoint that you have seen previously, the get products one. Let's click here. We can see that we have a recommended rate limit per ten minutes, and it's set to 868. Let's then click on create rule option, and we'll be redirected into our security rules tab as you can see here on the left portion of the screen, where we have the rules engine to define the criteria for our rate limiting rule. This security rules tab, it's also where we come from, on the dashboard for deploying web application firewall rules. As we can see, we get access to a completely configured rule except for its name that is here, blank to rate limit the selected endpoint into the suggested values. By scrolling down, we can see that the parameters configured already that will match the request with the selected endpoints. So here we can see that the requested method needs to be equal to get. The host name needs to be apis.framememory.net and the URI path needs to be products in order to properly match the endpoint. And because we also have a session identifier configured, it also adds that the header needs to be my API traffic. So we need to have this, session ID that we have configured in order to apply the rate limiting rule. And by scrolling even further, we can find the suggested threshold for requests for a ten minute period that we can edit to fit our specific requirements right here as well as every field that we have been seeing on this preconfigured rate limiting rule. So I'd like you to pay particular attention to this detail that while Kafka leverages machine learning to suggest specific rules and configurations making our lives easier, it still gives us full control over the configurations by letting us edit every field on the rule. Let's now suppose the frame memories makes their images available, for example, for sale via API, where a buyer will need to have an account and log in before being able to buy the pictures. With this user journey in mind, it would not be desirable that our website would allow a customer to download an image without before authenticating or paying for the image, for example. With Guelphr, we can enforce specific sequences of API calls with a feature called, guess what, sequences. And to check the sequences tab, we'll need to get back to our web assets view and we have the third tab here called sequences. And as I was saying, the good news, is that with Cloudflare, we can enforce these API call sequences by defining a fixed sequence of API calls or a more flexible sequence by enforcing only the first and last API calls to be mandatory depending on each customer specific use case. This works by leveraging our machine learning capabilities to detect patterns on the API call endpoint sequences with the endpoints that were added to our endpoints panel. And after Qualtr collects sufficient data from our endpoints, we can see our most common sequences as we can see right here, as well as the correlation score. For example, if we open, we get access to a correlation score of each specific sequence and some additional analytics regarding the length, endpoint number, and when was the request, the sorry. The sequence last serve. So moving forward into our next available tab, which is schema validation. As the name implies, it is here where we can define a schema for our endpoints and choose an action on what to do with incoming requests that do not comply with that specific schema. So if we notice on the dashboard, we have an active schema for the first endpoint, the post user that you can see here for this collection. And we can see the name of the file we uploaded. We can also see that there is no more scheme uploaded for any of the other managed endpoints. We can also see the activity of noncompliant requests in the last twenty four hours and also the action set, for these noncompliant requests. And this brings us to a magnificent question, which is how to set this up. Alright. So let's see where to upload schemas to validate our API requests. If we go to, again, the settings tab inside the security section, we go again into wall settings and then we need to go to uploaded schemas. We can just write it here and it will appear here, and we can see on the right an option to go to uploaded schemas. So we click here, and we can see our already deployed schema for the user's collection that is right here. Whenever we want to upload additional schemas for other endpoints, we can click on upload schema and we'll be asked for us to upload a file that can be a schema exported from open API or your customized API schema. Now there's no better way to validate if this schema validation is actually happening than doing a live test. But before we test it, let's take a look at the schema that is deployed for this post user standpoint. So as we can see, this is the schema file that I predownload in order for us to take a look at it before our test begins. We can see here that for posting a user, we have some fields such as, name here, age, email, and password for creating and posting my own user. I'm saying my own user because, spoiler alert, the test we're going to do with Postman will be with my own, setting up myself as a user in our website. We also see that we have a different data types defined for each field such as integer for the age or string for, the name, the email, the password. And we also set that to be mandatory or required in this case to have an email and password for user creation. So now that we know a little bit better what kind of schema is this endpoint expecting, let's first try a compliance request. And I have this request here, redone with Afonso, my name, we have my age, we have my call for email, and we have, sorry to disappoint you, a fake password. And let's try so from what we can see here, this looks like a legitimate request, compared to our schema. So we have a name, which is a string. We have an age, which is an integer. We have the two mandatory fields, which is email that is also a string, and password, which is also a string. So let's try now to click on send, and we can see that our status was success. But now if I, for example, change some of these fields, for example, let's try to create the same request, but now my age instead of an integer will be string. And now we click on send and we can see that we have access denied. Okay? So as we can see now, we are blocked from trying this post operation as our request has a field with a different data type than the one defined on our schema. I'd like you to remember that this is a great way of stopping illegitimate API requests closest as possible to their source. Thanks to Qualifier's global anycast network that will process the request in the closest available point of presence to the user. In this case, it should be Lisbon as I am based in Lisbon, Portugal. And since our selected action is blocked, this request attempt was blocked before even leaving the country. And now you may be wondering, how do I get visibility on this kind of event? Well, first of all, what an excellent concern as having a centralized and comprehensive visualization of our API and overall traffic is as critical as protecting it. And for showing where to have visibility, we will now navigate to the analytics tab. So give me a moment to go back to our security. And as I was saying, we have an analytics tab right here. And after we this pops up, we should go to the advanced tab. K? Still inside the security section. So it is inside this tab where we will be able to see all the events detected and flagged by Cloudflare. And we have a lot of filtering options to be able to find the events we want to analyze. For example, let's assume it's our interest to take a better look at the events that are blocking non compliant requests with my schema. We can scroll a bit down until the events by service that is right here, where we can see the main event types for our website. And as you may notice, one of them is API Shield schema validation. I can now filter for this type of event only by clicking here on filter and see a lot of information here on the bottom, specific for the schema validation events like the source IP addresses, main user agents, paths targeted, main top countries and many, many more information that will, at the end of the day, provide us the right tools to make the right decisions for protecting our businesses. Now looking back to this session, we already looked at how we discover endpoints, how we manage them and protect them from rate limiting abuses and lack of schema compliance. So now we can cover how we can protect our endpoints with JWT authentication tokens. So check this feature. We'll need to move back to our security rules panel where we have everything regarding, as the name implies, security rules, and check the API JWT validation rules section that is right here as you can see, API JWT validation rules. So we can see we already have a JWT rule already configured for time management purposes. But if you wanted to create one from scratch, we could click on create a rule right here and then select API JWT validation rules. So if we open this rule that is already configured, we can see this covers one endpoint that is the only one selected here, on the user's collection, which is the get users endpoint. And we are going to test this token validation live. First, let's dive back into Postman, and we'll try to take, we'll try to make the request to get all the users without presenting a JWT valid valid, token as we have it here. Okay? And if we click on send, basically, without having the JWT token, we will get an access denied. K? However, if we now include the JWT token token that is preconfigured on the Cloudflare dashboard and we send again, now we have a status the status success response. So, wow, let's take some time to adjust all of this. We have seen so far several ways Cloudflare offers to discover, manage, and protect our API endpoints. And we realize that all of them are very easy to set up and enable and without the need to change or install any kind of software or dependencies on your origin servers. In terms of user gen feature access, it is possible to use all these features through our dashboard or programmatically through Terraform, our API, or our SDK. And on top of this, our API security capabilities integrate seamlessly with our remaining application security and application performance portfolio, having the opportunity to have everything you need to boost and protect your digital assets centralized in one single and easy to use platform that is always evolving to best meet your needs. So give me one second so we can get back to the slides. And here we are. And while the slide pops up, I would like to mention that choosing Qualtr to protect your business is doing the same choice that several of the biggest companies in the world already did. In this slide, we mentioned some success use cases from customers after started using our more general application security portfolio, which includes the API security features we have seen during this session. So, for example, we can see here that Upwork, was able to rate limit 1,000,000 requests a day challenged or blocked to prevent malicious traffic. LendingTree saw 70% reduction in attacks against API endpoints. Q two have 4,000,000,000 banking logins protected in 2021 over a secure network built for scale and Boohoo Group PLC had a 90% reduction on bot attacks on mobile and web APIs by leveraging Qualtr API Gateway specifically integrated with other Qualtr Security Services. And we can see how the most common challenges when managing APIs are covered by our API gateway services to make a little bit of a recap of what we have been talking about during the session. So our API discovery capabilities ensures no endpoints are left unattended, helping to fight shadow APIs and all the vulnerabilities that come with it. Our rate limiting rules allow to prevent API abuse through a fully configurable rules engine and showing rate limiting recommendations for managed endpoints. Housekeeping enforcement helps to prevent misuse of APIs by taking action on non compliant requests. Additionally, comprehensive analytics, which help to gain visibility on API related events for a faster response time when needed. And finally, access from non authenticated users that can prevent it through token validation as we have seen with the JWT test just a moment ago. So my next recommendation, if you found this session somewhat interesting and think any of our products could help improving the security of your business, would be to test our platform for yourself by creating your own account on Qualtr, if you don't have one yet, of course, and one border domain and explore all these amazing features in person. And then, in the case you have any specific use case, you are not sure how to address, you can get in contact with a technology expert from CallFirm that can help you tailor a specific solution for your requirements. And, alright, we have come to an end for this demo session. I would like to thank you so much for watching until the end, and let's keep working together for building a better Internet. Bye bye.