Skip to content
Home » News » Summary of Cloudflare’s 2024 API Security Report

Summary of Cloudflare’s 2024 API Security Report

Cloudflare is a globally recognized software company that powers 20% of the web. Cloudflare is renowned for its range of services targeted at enhancing the security of the internet. Through its extensive portfolio, Cloudflare empowers websites and online services to operate efficiently and securely.


Key among Cloudflare’s security offerings are:

  1. DDoS Mitigation: Cloudflare’s vast network infrastructure and advanced mitigation techniques enable it to effectively mitigate Distributed Denial of Service (DDoS) attacks. By analyzing traffic patterns in real-time and filtering out malicious requests, Cloudflare helps organizations maintain service availability and uptime.
  2. Web Application Firewall (WAF): Cloudflare’s WAF protects websites and online applications from a wide range of cyber threats, including SQL injection, cross-site scripting (XSS), and other common web vulnerabilities. By inspecting incoming traffic and filtering out malicious payloads, Cloudflare helps safeguard sensitive data and prevent unauthorized access.
  3. Bot Management: Cloudflare offers bot management solutions that help organizations differentiate between legitimate traffic and malicious bots. By identifying and mitigating bot-based threats, such as credential stuffing and content scraping, Cloudflare helps protect websites and online services from abuse and fraud.
  4. Threat Intelligence: Cloudflare leverages threat intelligence data from its global network to identify and block emerging cyber threats in real-time. By analyzing billions of requests per day and correlating data across its network, Cloudflare helps organizations stay ahead of evolving threats and proactively defend against cyber attacks.
  5. API Gateway service: Cloudflare’s API Gateway service enables developers to quickly build, secure, and scale APIs by providing serverless functions, authentication and authorization mechanisms, rate limiting, logging and monitoring features, and global scalability leveraging Cloudflare’s network infrastructure.

In January 2024, Cloudflare released its first API security and management report based on aggregated traffic patterns observed by Cloudflare’s global network (including Cloudflare’s web application firewall, DDoS protection, bot management, and API gateway services) between Oct. 1, 2022 and Aug. 31, 2023. Unlike other industry API reports, Cloudflare’s report is not based on user surveys. It was based on real traffic data processed on their network.

Some highlighted insights from the report are:

API traffic is more than all other internet traffic, comprising more than 57% of internet traffic processed by Cloudflare: Cloudflare’s global network processes an average of 50 million HTTP requests per second and can handle over 70 million requests at peak times.

From October 1, 2022, to August 31, 2023, between 53.1% to 60.1% of Cloudflare’s dynamic HTTP traffic consisted of successful API responses (status code 200).

Improper Inventory Management – 30.7% of APIs were not properly documented: Many organizations lack precise insights into their APIs, hindering their ability to effectively manage and secure them.
Cloudflare’s research revealed a significant disparity: machine learning-based discovery uncovered 30.7% more API endpoints compared to what organizations self-reported.

This lack of visibility poses a serious challenge, as organizations cannot adequately defend against threats they cannot identify or monitor.

Improper Configurations: Cloudflare’s analysis across all account APIs revealed that 59.2% of organizations granted ‘write’ (POST, PUT, DELETE, PATCH) access to AT LEAST 50% of their APIs.
While ‘read-only’ (GET) access APIs retrieve information from a system, ‘write’ APIs enable users and applications to make updates or changes to a system.

Malicious actors can take advantage of the ‘write’ access to launch attacks against these organizations.

Top API Error – 429 HTTP Status Code: HTTP status codes that begin with ‘2’ signify successful client actions, while issues encountered during the process may lead to redirection (status codes starting with “3”), client errors (status codes starting with “4”), or server-side errors (status codes starting with “5”).

Cloudflare’s analysis highlights a significant portion of API errors stemming from ‘429’ codes, indicating “Too Many Requests” which accounts for over half (51.6%) of observed traffic errors.

A ‘429’ error arises when the server automatically throttles API traffic due to specific triggers, such as surpassing the permitted request limit per minute from a certain IP address to a particular endpoint.

Organizations opting for manually-set rate limiting, rather than adaptive rate limiting, risk implementing outdated restrictions. In an example scenario from Cloudflare’s report: “What if
the /login endpoint is experiencing higher-than-average traffic because of a successful marketing campaign — and not an attack? In that scenario, manual rate limiting could prevent legitimate transactions.”

Common API Security Vulnerabilities: In the report, Cloudflare highlighted the most common API security vulnerabilities based on the traffic they processed. This data was obtained from the Cloudflare Web Application Firewall (WAF) managed rule category, indicating the prevalent threats mitigated for customers throughout the year 2023.

Below is a screenshot of the graphical illustration from the report:

Cloudflare’s report reveals significant challenges in managing and securing APIs for organizations. The data shows the massive volume of API traffic and the importance of adaptive rate limiting to avoid hindering legitimate transactions.

The report also emphasizes the need for accurate API discovery and better visibility into endpoints. It suggests that organizations may not fully grasp the extent of their API infrastructure, highlighting the importance of improved monitoring solutions.

In essence, Cloudflare’s findings urge organizations to rethink their approach to API management, adopting more flexible security measures and advanced technologies to protect against threats and ensure an uninterrupted digital experience.

MerkleFence can help you leverage Cloudflare’s security offerings to safeguard your online presence. With our expertise, you can harness Cloudflare’s DDoS mitigation, Web Application Firewall (WAF), bot management, threat intelligence, and API Gateway services to protect against external threats. Whether it is defending against DDoS attacks, securing your APIs, or mitigating bot-based threats, MerkleFence will ensure your organization benefits from Cloudflare’s advanced, real-time threat analysis and global network infrastructure. Request a call here.