API Shield Sequences Demo

API Endpoints

Click buttons to make API requests and build a sequence

Session ID: demo-session-1780907611378

Current Sequence

Last 10 unique API requests (deduplicated)

No requests yet. Click an endpoint to start!

Response Log

Valid Sequences to Test

These sequences will pass all WAF rules

✅ Full Flow (Recommended)

1. POST /api/auth/login → 2. GET /api/products → 3. POST /api/cart/add → 4. POST /api/checkout

Complete user journey with authentication, browsing, and purchase
✅ Minimal Flow

1. POST /api/auth/login → 2. POST /api/cart/add → 3. POST /api/checkout

Direct purchase flow (skipping product browsing)

Invalid Sequences (Will Be Blocked)

These sequences violate WAF rules and return 403 with JSON payload

❌ Skip Authentication

1. POST /api/checkout (directly)

WAF Rule: Checkout requires authentication
❌ Skip Product View

1. POST /api/cart/add (directly)

WAF Rule: Add to cart requires product view
❌ Skip Cart

1. POST /api/auth/login → 2. POST /api/checkout

WAF Rule: Checkout requires cart

Active Cloudflare WAF Rules

These Cloudflare WAF Custom Rules enforce API sequence security at the edge

🛡️ Rule 1: Checkout requires authentication

Blocks checkout attempts without prior authentication

Enforces: POST /api/auth/login must be called before POST /api/checkout
🛡️ Rule 2: Add to cart requires product view

Blocks cart additions without viewing products first

Enforces: GET /api/products must be called before POST /api/cart/add
🛡️ Rule 3: Checkout requires cart

Blocks checkout attempts without items in cart

Enforces: POST /api/cart/add must be called before POST /api/checkout

💡 How it works:

Cloudflare tracks your API request sequence using the Authorization header. Requests that violate these rules are blocked at the edge with a 403 response containing details about the violation.