CF API Shield Demo

API Shield — 1 of 4

API Discovery

Cloudflare passively monitors all traffic on your zone and automatically builds a complete inventory of every API endpoint it observes — no configuration required.

💼 Use Case

Most organisations don't have a complete map of their own API surface. Shadow APIs, forgotten endpoints, and undocumented routes are common. API Discovery gives you visibility before attackers find them first.

🎮 How to Demo

Read through the discovered endpoint table below
Point out that none of these were manually configured
Click "Save to Schema →" to transition into Schema Validation

✅ Expected Outcome

All 7 demo API endpoints appear in the table — populated automatically from observed traffic. The "Unprotected" tags highlight endpoints that have no schema or auth rule yet — your attack surface.

🗺️ Discovered Endpoints ● Live Inventory

Method	Endpoint	First Seen	Requests (24h)	Auth	Status
POST	/api/auth/login	2d ago	4,821	None	Discovered
GET	/api/products	2d ago	18,302	None	Discovered
GET	/api/products/{id}	2d ago	9,104	None	Discovered
POST	/api/cart	2d ago	3,456	JWT	Unprotected
GET	/api/cart	2d ago	5,102	JWT	Unprotected
POST	/api/orders	2d ago	1,233	JWT	Unprotected
GET	/api/orders/{id}	2d ago	1,200	JWT	Unprotected

🗣 Plain English

Think of this as Cloudflare automatically drawing a map of every door into your building — including the ones you forgot existed. Before you can protect something, you need to know it's there. API Discovery does that automatically, continuously, with no setup.

API Shield — 2 of 4

Schema Validation

CF validates every incoming request against your OpenAPI schema at the edge. The Worker behind this demo has zero validation code — everything is enforced by Cloudflare before the request is forwarded.

💼 Use Case

Attackers probe APIs with malformed payloads to find injection points, crash handlers, or unexpected behaviour. Schema Validation stops this class of attack entirely at the edge — your server never processes garbage input.

🎮 How to Demo

Review the schema — note the field types
Click "Auto-fill Valid" then Send — gets through
Pick a violation from the dropdown
Click "Auto-fill Invalid" then Send — CF blocks it

✅ Expected Outcome

Valid request → 200 OK, response from origin.

Invalid request → 400 blocked by CF. The Worker code is never executed.

📄 OpenAPI Schema — POST /api/cart

POST /api/cart
requestBody:
  required: true
  properties:
    product_id:
      type: integer   # required
      minimum: 1
    quantity:
      type: integer   # required
      minimum: 1
      maximum: 99
    coupon:
      type: string    # optional
      maxLength: 20

⚠️ Choose a Violation

Violation type

📤 Request Builder

POST /api/cart

product_id integer*

quantity int 1–99*

coupon string

Response

Hit "Send Request" to see the live CF response

API Shield — 3 of 4

JWT Validation

Cloudflare validates JWT tokens at the edge using your shared secret — before the request reaches your origin. Your backend never processes an invalid token.

💼 Use Case

Without edge validation, every invalid token request hits your auth middleware, consumes server resources, and risks edge cases in your validation logic. CF handles all of this before your code runs.

🎮 How to Demo

Click "Issue Demo Token" — Worker signs a real JWT
Click "Send with Valid Token" — passes CF validation
Click "Send Tampered Token" — CF detects signature mismatch
Click "Send Expired Token" — CF detects expiry
Click "Send No Token" — CF blocks unauthenticated request

✅ Expected Outcome

Valid → 200 OK.

Tampered / Expired / Missing → 403 Forbidden from CF edge. Origin never contacted.

🪪 Token Issued

Note: In production, your own auth system issues tokens. CF validates them regardless of where they came from — it only needs your signing secret.

📤 Send Request to Protected Endpoint

GET /api/cart 🔒 JWT Required

Authorization Header

No token selected

Response

Issue a token then send a request

API Shield — 4 of 4

API Sequence Enforcement

CF tracks the order of API calls per session using the JWT sub claim. Requests that skip required steps are blocked at the edge — your Worker has zero sequence logic.

💼 Use Case

Bots running credential stuffing, account takeover, or checkout abuse skip the normal browsing flow and jump straight to the target endpoint. Sequence Enforcement detects and blocks this pattern automatically.

🎮 How to Demo

Make sure you've issued a JWT first (JWT tab)
Click "Simulate Normal User" — follows all 4 steps in order
Click "Simulate Bot Attack" — jumps straight to checkout
Watch the flow diagram react in real time

✅ Expected Outcome

Normal user → all 4 steps light up green, order confirmed.

Bot → blocked at Step 3 with sequence violation. Steps 1 and 2 never occurred in this session.

🔗 Shopping API — Required Sequence

🛍️

Browse Products

GET /api/products

🛒

Add to Cart

POST /api/cart

💳

Place Order

POST /api/orders

✅

Order Confirmed

GET /api/orders/{id}

Bot Management

Bot Score & WAF Rules

Every request through Cloudflare receives a bot score from 1–99. CF also surfaces TLS fingerprints, detection IDs, and verified bot status. Your WAF rules act on these signals.

💼 Use Case

Credential stuffing, scraping, inventory hoarding, and fake account creation all rely on automated traffic. Bot Management gives you the signal — WAF rules give you the action. Together they stop automation at the edge.

🎮 How to Demo

Click "Check My Bot Score" — shows your real browser score (~99)
Open a terminal and run the curl command shown — scores ~1
Compare both scores side by side — explain why they differ
Walk through the 3 WAF rule tiers

✅ Expected Outcome

Browser scores 70–99 (Human).

curl scores 1–5 (Bot) — detected by TLS fingerprint + User-Agent heuristics. The Balanced WAF rule blocks it.

🌐 Your Browser Score Live

🤖 Automated Client Score curl = Bot

Bot (1)UncertainHuman (99)

🤖 LIKELY BOT Real curl request result

Bot Source

Heuristics

Detection IDs

33554817 (cURL - User-agent), 161371150

Why scored low

No JS execution, no browser fingerprint, curl TLS signature detected

🖥️ Reproduce the Bot Score Yourself

Run this in your terminal to see a real score of 1. CF scores curl low because its TLS fingerprint (JA3) is completely different from a browser — no JavaScript, no cookies, instantly recognisable handshake pattern.

curl https://seanwashere.online/api/bot-score # Returns: "score": 1, "classification": "likely_bot" # Then open CF Dashboard → Security → Events # You will see: Bot score: 1 | Source: Heuristics | Detection: cURL

🗣 Why does this matter?

Browsers score high because CF sees a full TLS handshake with browser-specific cipher suites, JavaScript execution, and real cookie behaviour. curl has none of these — its JA3 fingerprint is instantly recognisable. Even if an attacker changes their IP, the JA3 stays the same — CF keeps detecting them.

📊 Signal Details

Check your browser score above to populate live signals.

🛡️ WAF Rule Tiers

ConservativeOnly near-certain bots

(cf.bot_management.score lt 10)
and not (cf.bot_management.verified_bot)

Action: Block — Low false positive risk. Misses sophisticated bots.

Balanced ⭐ Recommended

(cf.bot_management.score lt 30)
and not (cf.bot_management.verified_bot)

Action: Block — Good starting point. Verified bots (Google, Bing) still pass.

AggressiveHigh-security environments

(cf.bot_management.score lt 50)
and not (cf.bot_management.verified_bot)

Action: JS Challenge — Challenges uncertain traffic too.

Advanced Rate Limiting

Advanced Rate Limit

Standard rate limiting counts by IP. Advanced Rate Limiting counts by any combination of IP, headers, cookies, JWT claims, query strings, or body fields — giving you precise per-user or per-action control.

💼 Use Case

IP-based limits break for users behind shared NAT or office proxies. Per-JWT-sub limits target the actual authenticated identity — no matter how many IPs they use or share.

🎮 How to Demo

IP Test: Click "Run IP Test" — 12 requests, same IP. Watch 429 kick in.
JWT Sub Test: Click "Run User A" then "Run User B" — each has their own separate limit despite sharing the same IP.
Copy the curl commands and run them yourself to prove it's real.

✅ Expected Outcome

IP test: requests 1–10 return 200, requests 11–12 return 429.

JWT sub test: User A and User B each have independent counters — one hitting the limit doesn't affect the other.

🌐 Test 1 — IP-Based Rate Limit

Fires 12 requests. Rule: 10 requests / 60s per IP to GET /api/products

Ready

📋 curl — IP Test

# Run this 11+ times to trigger the rate limit: curl -X GET "https://seanwashere.online/api/products" \ -H "Content-Type: application/json" # On request 11+ you will receive: # HTTP/1.1 429 Too Many Requests

🪪 Test 2 — Per JWT Sub Rate Limit

Each user has their own limit. Rule: 5 requests / 60s per JWT sub claim.

👤 User A (Alice)

Ready

👤 User B (Bob)

Ready

📋 curl — JWT Sub Test

# First issue tokens from the JWT tab, then: # User A — run 6+ times, hits limit on request 6 curl -X GET "https://seanwashere.online/api/cart" \ -H "Authorization: Bearer <USER_A_TOKEN>" # User B — still gets 200 OK even after User A is limited curl -X GET "https://seanwashere.online/api/cart" \ -H "Authorization: Bearer <USER_B_TOKEN>" # This proves CF counts per-identity, not per-IP

Pre-Demo

Setup Checklist

Run through this 30 minutes before your customer meeting. Click each item to mark it done. A missed step will cause a live demo failure — don't skip any.