Checklist 8 min read Intermediate

Cloudflare API security checklist

Use this checklist to review API inventory, authentication, mTLS, schema validation, rate limits, WAF controls, bot signals, logging, and partner access before tightening Cloudflare API enforcement.

Step by step

Step-by-step checklist

8 steps

1
Build an API inventory: every public, partner, internal, and mobile-backend API, its hostnames and paths, the owning team, and whether each is documented — using API Discovery to catch endpoints the inventory misses.
2
Review authentication on each endpoint: what credential type is required (API key, OAuth bearer token, mTLS certificate, session), and flag any endpoint that is unauthenticated or relies on a weak or shared secret.
3
Check authorization: confirm endpoints enforce object- and function-level access so a valid token for one user or scope cannot reach another's data or privileged operations.
4
Assess input handling and schema enforcement: whether requests are validated against an OpenAPI schema, and whether WAF Managed and custom rules cover injection and known API attack patterns.
5
Review abuse and rate controls: per-endpoint Rate Limiting on auth, token, search, and write paths; Bot Management signals on API traffic; and credential-stuffing and enumeration protections on login and account endpoints.
6
Examine partner and machine access: where mTLS or JWT Validation applies, how partner credentials are issued and rotated, and whether service tokens and keys have appropriate scope and expiry.
7
Confirm logging and detection: API and HTTP events in Logpush to the SIEM, dashboards for auth failures and rate-limit hits, and alerts that would surface enumeration or abuse in progress.
8
Prioritise gaps into a remediation list ordered by exposure and sensitivity, and decide which controls to stage in log mode versus enforce immediately.

Risk register

Risks to control

Undocumented or shadow APIs are in production but absent from the inventory, so they are never secured.

Run API Discovery and reconcile it against documentation and source, adding every found endpoint to the inventory and to Endpoint Management.

Broken object-level authorization lets a valid token read or modify another user's resources.

Verify per-object and per-function access checks at the application, and use schema validation and endpoint scoping at the edge as defence in depth rather than the only control.

Authentication endpoints are open to credential stuffing and account enumeration.

Apply Rate Limiting and Bot Management signals on login and token endpoints, enable leaked-credential checks, and alert on spikes in auth failures.

Rate limits are uniform across all APIs and ignore endpoint sensitivity.

Set per-endpoint thresholds from observed volume — stricter on auth, token, and write paths than on read-heavy public endpoints — and stage them in log mode first.

Partner and machine credentials are broadly scoped, shared, or never rotated.

Issue scoped credentials per partner, prefer mTLS or JWT Validation for machine access, and confirm service tokens and API tokens have least privilege and expiry.

API abuse is invisible because API events are not reaching the SIEM.

Enable Logpush of HTTP and API datasets, verify field parsing, and build dashboards and alerts for auth failures, schema rejections, and rate-limit events before relying on them.

Output

Useful deliverables

API inventory covering public, partner, internal, and mobile-backend endpoints with owners and documentation status, reconciled against Discovery.
Authentication review per endpoint with unauthenticated and weak-credential endpoints flagged.
Authorization findings on object- and function-level access enforcement.
Input-handling and schema-enforcement assessment including WAF coverage of API attack patterns.
Abuse and rate-control review covering per-endpoint limits, bot signals, and credential-stuffing protections on auth paths.
Partner and machine-access review of mTLS, JWT Validation, and token scope, rotation, and expiry.
Prioritised remediation list ordered by exposure and sensitivity, with staged-versus-immediate enforcement decisions.

Keep reading

Related resources

Cloudflare Migration Checklist

Cloudflare Migration Readiness Assessment

Cloudflare Cutover Runbook

Cloudflare Rollback Plan Template

FAQ

Frequently asked questions

Common questions teams ask when putting this resource into practice.

How does this checklist relate to the API Shield implementation guide?

The checklist is a review: it assesses authentication, authorization, abuse controls, inventory, and logging across your APIs to find gaps. The implementation guide is the build: it walks through configuring API Shield features — Discovery, Schema Validation, mTLS, JWT Validation, Sequence Mitigation — to close those gaps.

What is the most common gap the checklist finds?

Two recur often: shadow APIs that exist in production but not in any inventory, and authentication endpoints with no abuse controls. Discovery surfaces the first; Rate Limiting, Bot Management signals, and leaked-credential checks on login and token paths address the second.

Can Cloudflare enforce authorization on its own?

Authorization — deciding which user or scope may access which object or function — ultimately belongs at the application, since only it knows ownership. Cloudflare adds defence in depth through schema validation, endpoint scoping, JWT Validation, and mTLS, but the checklist confirms the application enforces access too.

Should every API endpoint have the same rate limit?

No. Limits should reflect each endpoint's sensitivity and observed volume. Login, token, and write endpoints warrant stricter thresholds than read-heavy public endpoints. The checklist reviews limits per endpoint and recommends staging them in log mode before enforcing.

Nanosek

Review API security

Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.

Talk to Nanosek Browse resources