Sequence Mitigation
Sequence Mitigation allows you to enforce request patterns for authenticated clients communicating with your API. This feature utilizes the same underlying system that powers Sequence Analytics.
You can use Sequence Rules to establish a set of known behavior for API clients.
For example, you may expect that API requests made during a bank funds transfer could conform to the following order in time:
| Order | Method | Path | Description | 
|---|---|---|---|
| 1 | GET | /api/v1/users/{user_id}/accounts | user_idis the active user. | 
| 2 | GET | /api/v1/accounts/{account_id}/balance | account_idis one of the user’s accounts. | 
| 3 | GET | /api/v1/accounts/{account_id}/balance | account_idis a different account belonging to the user. | 
| 4 | POST | /api/v1/transferFunds | This contains a request body detailing an account to transfer funds from, an account to transfer funds to, and an amount of money to transfer. | 
You may want to enforce that an API user requests GET /api/v1/users/{user_id}/accounts before GET /api/v1/accounts/{account_id}/balance and that you request GET /api/v1/accounts/{account_id}/balance before POST /api/v1/transferFunds.
Using Sequence Mitigation, you can enforce that request pattern with two new Sequence Mitigation rules.
You can create a sequence rule to enforce behavior on your API over time in two different ways. Sequence rules can either protect an endpoint from users performing a known specific sequence of API calls (otherwise known as a negative security model) or from users making API requests outside of your expectations (otherwise known as a positive security model).
Sequence rules built via the Cloudflare dashboard using API Shield rules utilize a lookback window to match endpoints in the sequence. The rule will match as long as both endpoints are found within 10 requests (to endpoints within Endpoint Management) of each other and made within 10 minutes of each other.
If you want to add multiple endpoints, ignore the lookback window, and configure time-based constraints, refer to Sequence Mitigation custom rules.
In the bank funds transfer example, enforcing that a user requests GET /api/v1/accounts/{account_id}/balance before POST /api/v1/transferFunds is considered a positive security model, since a user may only perform a funds transfer after listing an account balance.
A negative security model may be useful if you see abusive behavior that is outside the norm of your application and you need to stop the requests while researching the correct positive security model to implement.
For example, if there was an authorization bug that allowed users to iterate through other users' profiles that contain account numbers via GET /api/v1/users/{var1}/profile and then a user tries to make fradulent funds transfers, you could create up a rule to block or log the sequence GET /api/v1/users/{var1}/profile to POST /api/v1/transferFunds.
To track requests to API endpoints, they must be added to Endpoint Management. Add your endpoints to endpoint management via API Discovery, Schema validation, or manually through the Cloudflare dashboard.
API Shield uses your configured session identifier to track sessions. You must configure a session identifier that is unique per end user of your API in order for Sequence Mitigation to function as expected.
API Shield currently stores the last 10 requested endpoints by each API user identified by the session identifier. Sequence Mitigation de-duplicates requests to the same endpoint while building the sequence.
To illustrate, in the original sequence example listed above, Sequence Mitigation would store the following sequence:
- GET /api/v1/users/{user_id}/accounts
- GET /api/v1/accounts/{account_id}/balance
- POST /api/v1/transferFunds
Sequence Mitigation de-duplicated the two requests to GET /api/v1/accounts/{account_id}/balance and stored them as a single request.
Sequence Mitigation rules have a lookback period of 10 minutes. If you create a rule that one path must be requested before another path and more than 10 minutes elapses between a user requesting each path, the rule will not match.
Sequence Mitigation is currently in a closed beta and is only available for Enterprise customers. If you would like to be included in the beta, contact your account team.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark