Migrating from Cloudflare API Shield to middleBrick

Before switching, map the protections you rely on in Cloudflare API Shield. Note which features you use: schema validation, bot mitigation, rate limiting, IP allowlists, and JWT validation. Export the configuration for each protected API, including rule settings and thresholds. This inventory clarifies what security behaviors must be recreated or adjusted in middleBrick to avoid coverage gaps during migration.

Cloudflare provides analytics and logs through the dashboard and API. Export security events, block decisions, and configuration snapshots for the relevant period you want to compare against post-migration. Save these exports as structured logs (JSON or CSV). You will use them to baseline traffic patterns, false positive rates, and blocked requests so that you can validate that middleBrick surface comparable risk visibility after cutover.

middleBrick does not ingest historical Cloudflare data, so you recreate baseline findings by scanning each API endpoint with the same parameters you used in Cloudflare. Use the CLI to run initial scans and save JSON output: middlebrick scan https://api.example.com/openapi.json --output json > baseline.json. For authenticated surfaces, provide tokens via environment variables and ensure the domain verification gate passes. Compare these new results with your Cloudflare exports to confirm that critical protections are still detected and that risk visibility is preserved.

Shift the CI gate from Cloudflare to middleBrick without breaking pipelines. In your GitHub Action, replace the Shield integration step with the middleBrick action and point it at your staging environment first. Use a threshold that matches your previous enforcement posture; for example, fail the build when the score drops below C. Keep the Cloudflare rules active in observe mode for one full release cycle so you can correlate findings and confirm that the new gate produces equivalent or stricter enforcement.

You will lose Cloudflare’s network-level rate limiting and bot mitigation at the edge; these are runtime protections that sit outside scanner scope. You will also lose tightly integrated WAF blocking, which middleBrick does not provide because it is a scanner, not an enforcement point. What you gain is standards-aligned detection mapped to OWASP API Top 10, PCI-DSS 4.0, and SOC 2 Type II, with a consistent developer-first workflow across languages and frameworks. The scanner runs in under a minute, supports authenticated checks, and integrates into dashboards, CI, and MCP servers so findings are actionable earlier in development.

Complete these steps before decommissioning Cloudflare Shield for production APIs: 1) Export configurations and logs from Cloudflare. 2) Verify domain ownership for authenticated scans. 3) Run full middleBrick scans for all APIs and save JSON reports. 4) Reconcile findings with your Cloudflare exports to confirm coverage. 5) Update CI to use the middleBrick action and set appropriate score thresholds. 6) Monitor the first scheduled rescans and alerting channels. 7) Keep Cloudflare rules in observe mode for one release cycle, then disable if behavior is consistent.