Core platform
API Shield
Score: 5/10Schema validation is nice; the Enterprise gate is hard to justify.
Last updated
API Shield bundles mTLS client certificates, API discovery, schema validation, and sequence analytics for Enterprise API estates. The mTLS part is useful and partially available to everyone. Issuing client certificates from Cloudflare’s CA and enforcing them in WAF rules works well for locking down device or service traffic.
Discovery and schema validation do what they claim: upload an OpenAPI spec, block requests that don’t conform. That’s real defense-in-depth for a public API.
Most of the value beyond mTLS sits behind Enterprise contracts, while plain WAF custom rules cover much of the same ground. A competent team with a good ruleset can get most of the way there. The score reflects access and value, not raw capability.