Are there any recommendations for page rules for JSON/REST APIs?
There’s an old StackOverflow answer at https://stackoverflow.com/a/46933983/1837353 which gives some suggestions, and links to an official article which is no longer available - replaced by an intro to the enterprise-only API Shield product.
The suggestions in that post look ok except:
- Browser Integrity Check: OFF - sounds useful and if it’s just inspecting HTTP headers, should be compatible? Depends what response is sent if the check fails.
- Web Application Firewall: OFF - wouldn’t it be useful to have some WAF rules enabled? SQL injection is still a risk in JSON requests.
- security level: Anything but “I’m under attack” - there’s no way to replace an API response with a challenge, so does Cloudflare just block the request based on the treat level?
I am not interested in caching the responses (and the origin is providing appropriate cache-control headers to that effect).
Thanks.