Cloudflare changelogs | API Shield

API Shield - Web Assets fields now available in GraphQL Analytics API

Mon, 23 Mar 2026 00:00:00 GMT

Two new fields are now available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups GraphQL Analytics API datasets:

webAssetsOperationId — the ID of the saved endpoint that matched the incoming request.
webAssetsLabelsManaged — the managed labels mapped to the matched operation at the time of the request (for example, cf-llm, cf-log-in). At most 10 labels are returned per request.

Both fields are empty when no operation matched. webAssetsLabelsManaged is also empty when no managed labels are assigned to the matched operation.

These fields allow you to determine, per request, which Web Assets operation was matched and which managed labels were active. This is useful for troubleshooting downstream security detection verdicts — for example, understanding why AI Security for Apps did or did not flag a request.

Refer to Endpoint labeling service for GraphQL query examples.

API Shield - New Vulnerability Scanner for API Shield

Mon, 09 Mar 2026 00:00:00 GMT

Introducing Cloudflare's Web and API Vulnerability Scanner (Open Beta)

Cloudflare is launching the Open Beta of the Web and API Vulnerability Scanner for all API Shield customers. This new, stateful Dynamic Application Security Testing (DAST) platform helps teams proactively find logic flaws in their APIs.

The initial release focuses on detecting Broken Object Level Authorization (BOLA) vulnerabilities by building API call graphs to simulate attacker and owner contexts, then testing these contexts by sending real HTTP requests to your APIs.

The scanner is now available via the Cloudflare API. To scan, set up your target environment, owner and attacker credentials, and upload your OpenAPI file with response schemas. The scanner will be available in the Cloudflare dashboard in a future release.

Access: This feature is only available to API Shield subscribers via the Cloudflare API. We hope you will use the API for programmatic integration into your CI/CD pipelines and security dashboards.

Documentation: Refer to the developer documentation to start scanning your endpoints today.

API Shield - New BOLA Vulnerability Detection for API Shield

Wed, 12 Nov 2025 00:00:00 GMT

Now, API Shield automatically searches for and highlights Broken Object Level Authorization (BOLA) attacks on managed API endpoints. API Shield will highlight both BOLA enumeration attacks and BOLA pollution attacks, telling you what was attacked, by who, and for how long.

You can find these attacks three different ways: Security Overview, Endpoint details, or Security Analytics. If these attacks are not found on your managed API endpoints, there will not be an overview card or security analytics suspicious activity card.

From the endpoint details, you can select View attack to find details about the BOLA attacker’s sessions.

From here, select View in Analytics to observe attacker traffic over time for the last seven days.

Your search will filter to traffic on that endpoint in the last seven days, along with the malicious session IDs found in the attack. Session IDs are hashed for privacy and will not be found in your origin logs. Refer to IP and JA4 fingerprint to cross-reference behavior at the origin.

At any time, you can also start your investigation into attack traffic from Security Analytics by selecting the suspicious activity card.

We urge you to take all of this client information to your developer team to research the attacker behavior and ensure any broken authorization policies in your API are fixed at the source in your application, preventing further abuse.

In addition, this release marks the end of the beta period for these scans. All Enterprise customers with API Shield subscriptions will see these new attacks if found on their zone.

API Shield - New API Posture Management for API Shield

Tue, 18 Mar 2025 00:00:00 GMT

Now, API Shield automatically labels your API inventory with API-specific risks so that you can track and manage risks to your APIs.

View these risks in Endpoint Management by label:

...or in Security Center Insights:

API Shield will scan for risks on your API inventory daily. Here are the new risks we're scanning for and automatically labelling:

cf-risk-sensitive: applied if the customer is subscribed to the sensitive data detection ruleset and the WAF detects sensitive data returned on an endpoint in the last seven days.
cf-risk-missing-auth: applied if the customer has configured a session ID and no successful requests to the endpoint contain the session ID.
cf-risk-mixed-auth: applied if the customer has configured a session ID and some successful requests to the endpoint contain the session ID while some lack the session ID.
cf-risk-missing-schema: added when a learned schema is available for an endpoint that has no active schema.
cf-risk-error-anomaly: added when an endpoint experiences a recent increase in response errors over the last 24 hours.
cf-risk-latency-anomaly: added when an endpoint experiences a recent increase in response latency over the last 24 hours.
cf-risk-size-anomaly: added when an endpoint experiences a spike in response body size over the last 24 hours.

In addition, API Shield has two new 'beta' scans for Broken Object Level Authorization (BOLA) attacks. If you're in the beta, you will see the following two labels when API Shield suspects an endpoint is suffering from a BOLA vulnerability:

cf-risk-bola-enumeration: added when an endpoint experiences successful responses with drastic differences in the number of unique elements requested by different user sessions.
cf-risk-bola-pollution: added when an endpoint experiences successful responses where parameters are found in multiple places in the request.

We are currently accepting more customers into our beta. Contact your account team if you are interested in BOLA attack detection for your API.

Refer to the blog post for more information about Cloudflare's expanded posture management capabilities.