1. Overview
An initial configuration review showed that the Layer 7 (L7) perimeter was largely unprotected.
The WAF was active but minimally configured, most managed rule sets were disabled, and advanced security features such as API Shield were not in use.
The environment also relied on a legacy OAuth implementation that contained a BOLA (Broken Object Level Authorization) issue.
I structured a plan to strengthen WAF coverage, introduce edge API-level validation, and migrate OAuth traffic without breaking existing integrations.
2. Identifying Gaps
Key issues:
-
Managed WAF rules mostly disabled
-
Inconsistent policy separation across projects
-
Limited visibility and change control for configuration updates
-
Legacy OAuth flow allowing unvalidated object access
-
API endpoints getting blasted with millions of malformed requests
At this stage, the platform was functioning primarily as just a Reverse Proxy / DNS service rather than an active security layer.
3. Phased Hardening Approach
I proposed a staged rollout to limit risk and validate configurations progressively:
-
Rule assessment: evaluate relevant WAF rule sets (Managed, OWASP, API Protection).
-
Test deployment: enable rules in Log mode across lower environments to measure potential impact.
-
Tuning: review logs, adjust thresholds, and promote validated rules to Block mode.
-
Production deployment: roll out hardened rules with custom metrics and alerting.
Configuration changes were tracked in version control and automated via Terraform and Cloudflare APIs to ensure consistency across environments.
4. API Schema Enforcement
API Shield was introduced to enforce schema-based validation at the edge.
Swagger/OpenAPI definitions were generated for each internal service and uploaded for validation.
This resulted in:
-
Reduction in unwanted traffic from unknown or malformed requests
-
Lower false-positive rate across WAF rules
-
Predictable rollout, with schema versions mapped per service and environment
Documentation gaps extended implementation time, as schema definitions needed to be built and verified from scratch (by myself :)
5. OAuth Flow Modernization
I developed a Cloudflare Worker and then I deployed it to translate requests using the legacy OAuth flow into the new format.
This provided backward compatibility for production clients and enabled a controlled migration path.
Key outcomes:
-
Legacy clients continued to operate without modification
-
Migration executed incrementally to reduce downtime risk
-
Real-time metrics and logging available via Cloudflare analytics
The Worker effectively served as a temporary compatibility and traffic management layer.
6. IAM and Monitoring Enhancements
IAM policies and API tokens were reviewed to remove shared credentials and align with least-privilege principles.
Additional controls were implemented:
-
Role-based access reviews
-
Audit logging for configuration changes
-
Integration with centralized log management for WAF, API Shield, and Worker events
-
Alerting on rule modifications and DDoS activity
These changes established a baseline for continuous monitoring and operational accountability.
7. Results
Measured improvements following rollout:
-
WAF coverage expanded to over 90% of exposed routes
-
OAuth-related BOLA issue resolved
-
Edge-level API validation active through API Shield
-
~70% reduction in request noise via schema enforcement
-
Client migration completed without disruption
-
Unified visibility across IAM and security logs
Overall, the platform transitioned from a passive CDN-style deployment to an active L7 security boundary with integrated validation and observability.
8. Key Takeaways
-
Always start with Log mode and review before enforcing rules.
-
Schema validation helps filter noise early and improves rule precision.
-
Workers are effective for compatibility and phased modernization.
-
IAM and monitoring should be treated as core security components, not operational overhead.
The resulting setup provides a maintainable and auditable security layer while maintaining flexibility for future edge service updates.