Require a valid client certificate
Use Cloudflare API Shield™ to protect your API or web application with client-certificate-based encryption.
Before you can use API Shield to protect your API or web application, you must do the following:
- Enable mutual Transport Layer Security (mTLS) for a host in your zone.
- Create a client certificate.
- Configure your mobile app or Internet-of-things device to use the client certificate.
This example creates a firewall rule that requires API calls to present a valid client certificate. When the client certificate cannot be verified, the rule triggers the Block action.
The rule includes a compound expression that comprises two simple expressions joined by the and operator.
The first expression uses the http.host field and the in operator to capture the hosts that should be protected—orangeclouded.com and api.orangeclouded.com in this example.
The second expression—not cf.tls_client_auth.cert_verified—returns true when a request to access the API or web application does not present a valid client certificate.
Because the action is Block, only requests that present a valid client certificate can access the specified hosts:
| Expression | Action |
|---|---|
(http.host in {"orangeclouded.com" "api.orangeclouded.com"} and not cf.tls_client_auth.cert_verified) | Block |
To create an API Shield rule that requires a valid client certificate in the Cloudflare dashboard, use the API Shield Rule interface in the Firewall app.