diff --git a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx index a9eb9887bd438bc..27903cc6305f819 100644 --- a/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx +++ b/src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx @@ -46,7 +46,15 @@ You can filter your endpoints based on the labels. `cf-risk-mixed-auth`: Automatically added when some successful requests contain a session identifier and some successful requests lack a session identifier. Refer to the table below for more information. -`cf-risk-sensitive`: Cloudflare will automatically add this label to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset. +`cf-risk-sensitive`: Automatically added to endpoints when HTTP responses match the WAF's [Sensitive Data Detection](/api-shield/management-and-monitoring/#sensitive-data-detection) ruleset. + +`cf-risk-missing-schema`: Automatically added when a learned schema is available for an endpoint that has no active schema. + +`cf-risk-error-anomaly`: Automatically added when an endpoint experiences a recent increase in response errors over the last 24 hours. + +`cf-risk-latency-anomaly`: Automatically added when an endpoint experiences a recent increase in response latency over the last 24 hours. + +`cf-risk-size-anomaly`: Automatically added when an endpoint experiences a spike in response body size over the last 24 hours. :::note Cloudflare will only add authentication labels to endpoints with successful response codes. Refer to the below table for more details. diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx index ada314679b7b7b8..ddb10dcd671b95a 100644 --- a/src/content/docs/security-center/security-insights/index.mdx +++ b/src/content/docs/security-center/security-insights/index.mdx @@ -28,6 +28,9 @@ Listed below are the specific insights currently available: | [Domains without HSTS](/ssl/edge-certificates/additional-options/http-strict-transport-security/) | HTTP Strict Transport Security (`HSTS`), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. | | [Exposed RDP Servers](/cloudflare-one/connections/connect-networks/use-cases/rdp/) | We detect an RDP server that is exposed to the public Internet. | | [Get notified of malicious client-side scripts](/page-shield/detection/configure-alerts/) | We detect that Page Shield alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. | +| [Increased body response size detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. | +| [Increased errors detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. | +| [Increased latency detected on API endpoints](/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. | | [Managed Rules not deployed](/waf/managed-rules/reference/cloudflare-managed-ruleset/) | No managed rules deployed on a WAF protected domain. | | [Migrate to new Managed Rules](/waf/reference/migration-guides/waf-managed-rules-migration/) | Migration to new Managed Rules system required for optimal protection. | | [Mixed-authentication API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. | @@ -36,6 +39,7 @@ Listed below are the specific insights currently available: | [Overprovisioned Access Policies](/cloudflare-one/policies/access/) | We detect an Access policy to allow everyone access to your application. | | [Page Shield not enabled](/page-shield/get-started/) | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. | | [SPF Record Errors](/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing `SPF` record. | +| [Schema Validation missing from eligible API endpoints](/api-shield/security/schema-validation/) | Apply the learned schema to protect your API against fuzzing attacks. | | [Sensitive data in API response](/api-shield/management-and-monitoring/#sensitive-data-detection) | Sensitive data in API responses detected. | | [Turn on JavaScript Detection](/bots/reference/javascript-detections/) | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. | | [Unassigned Access seats](/cloudflare-one/) | We detect a Zero Trust subscription that is not configured yet. | diff --git a/src/content/release-notes/api-shield.yaml b/src/content/release-notes/api-shield.yaml index 21f1eec104422dc..83e15561f9041b1 100644 --- a/src/content/release-notes/api-shield.yaml +++ b/src/content/release-notes/api-shield.yaml @@ -5,6 +5,11 @@ productLink: "/api-shield/" productArea: Application security productAreaLink: /fundamentals/reference/changelog/security/ entries: + - publish_date: "2025-02-17" + title: New automatically applied risk labels + description: |- + API Shield now automatically labels endpoints with risks due to missing schemas and performance anomalies (spikes in error rates, latency, and body response sizes). + - publish_date: "2025-01-16" title: API Authentication Posture description: |-