Cloudflare customers can now protect their APIs from broken authentication attacks by validating incoming JSON Web Tokens (JWTs) with API Gateway's JWT Validation. The release addresses feature requests for supporting the Bearer token format, creating multiple JWKS configs, validating JWTs sent in cookies, and excluding managed endpoints in a JWT validation rule. Broken authentication is a major threat in API security, and JWT validation helps enforce a positive security model for authenticated API users. JWTs provide short-lived sessions and enhanced security compared to other authentication methods. API attacks like missing or broken authentication, expired token reuse, and Broken Function Level Authorization attacks can be prevented with proper authentication and authorization. API Gateway's JWT Validation checks JWT signatures, expiration times, and the presence of authentication tokens to protect against these attacks. Cloudflare Access and custom Cloudflare Workers are other options for JWT validation, but API Gateway provides an easier and more manageable experience. Future releases will expand the capabilities of API Gateway, including generating and enforcing authorization policies and enhancing API management with Cloudflare.
Table of contents
What’s new in this release?What is the threat?A primer on authentication and authorizationA primer on API access tokensWhat’s the structure of a JWT?Proper authentication and authorization stop API attacksMissing or broken authenticationExpired token reuseBroken Function Level Authorization attacks: Tampering with claimsDon’t other Cloudflare products do this?What’s next?Sort: