Cloudflare API Shield review

This tool is a self-service API security scanner that accepts a URL and returns a risk score with prioritized findings. It performs black-box scanning without agents, code access, or SDK integration, supporting any language, framework, or cloud. Scan duration is under one minute, using read-only methods plus text-only POST for LLM probes.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). It detects authentication bypasses and JWT misconfigurations, BOLA and IDOR via sequential and adjacent ID probing, BFLA and privilege escalation attempts, and property authorization issues such as over-exposure and mass-assignment surface. Input validation checks include CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints. Other categories address rate limiting and resource consumption, data exposure including PII patterns and API key formats, encryption misconfigurations, SSRF indicators, inventory management issues, unsafe consumption surfaces, and LLM/AI security through multiple adversarial probe tiers.

OpenAPI analysis supports versions 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings for undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from the Starter tier upward, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is required, allowing only the domain owner to scan with credentials. The header allowlist is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Safety measures include read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and data is not sold or used for model training.

The product provides a Web Dashboard for scanning, viewing reports, tracking score trends, and downloading branded compliance PDFs. The CLI via an npm package supports JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a threshold. An MCP Server enables scanning from AI coding assistants. Programmatic access is available through an API client for custom integrations.

Pro tier adds continuous monitoring with scheduled rescans, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

Findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the tool helps you prepare for and aligns with security controls described in relevant standards, supporting audit evidence without asserting certification or compliance guarantees.

The scanner does not fix, patch, block, or remediate findings; it provides detection and guidance. It does not perform active SQL injection or command injection testing, detect business logic vulnerabilities, find blind SSRF requiring out-of-band infrastructure, or replace human pentesters for high-stakes audits.

Free tier offers 3 scans per month with CLI access. Starter at 99 dollars per month supports 15 APIs, monthly scans, dashboard, email alerts, and the MCP Server. Pro at 499 dollars per month covers 100 APIs with additional APIs priced at 7 dollars each, adding continuous monitoring, GitHub Action gates, CI/CD integration, Slack/Teams alerts, compliance reports, and signed webhooks. Enterprise at 2000 dollars per month provides unlimited APIs, custom rules, SSO, audit logs, SLA, and dedicated support.