Skip to content
The Orange Cloud Report

Core platform

API Shield

Score: 5/10

Schema validation is nice; the Enterprise gate is hard to justify.

Last updated

API Shield bundles mTLS client certificates, API discovery, schema validation, and sequence analytics into a product aimed squarely at Enterprise API estates. The mTLS piece is genuinely useful and partially available to everyone — issuing client certs from Cloudflare’s CA and enforcing them in WAF rules works well for locking down device or service traffic.

Discovery and schema validation do what they claim: upload an OpenAPI spec, block requests that don’t conform. That’s real defense-in-depth for a public API.

The trouble is that most of the value beyond mTLS sits behind Enterprise contracts, and the overlap with plain WAF custom rules is substantial — a well-built set of WAF rules gets a competent team most of the way there. Score reflects value-for-access, not capability.