API Shield Sequences Demo

Cloudflare API Shield Sequence Enforcement

Legitimate User

Normal Checkout Flow

Follows the correct sequence: select seat → fill details → pay. Each step must complete before moving to the next.

1 · Select Seat
2 · Details
3 · Pay
Ready — click Step 1 to start
Bot Behavior

Skip to Payment

A bot skips the sequence and hits the payment endpoint directly. API Shield Sequences will detect this and block the request.

1 · Select Seat
2 · Details
3 · Pay
Ready — click to simulate bot attack
How API Shield Sequences work:
You define a sequence rule in Cloudflare that enforces the order of API calls. If a client skips steps or calls endpoints out of order, the request is blocked.
POST /api/seats/select POST /api/booking/details POST /api/payment/checkout
Any request to /api/payment/checkout that was not preceded by the first two steps (in order) will be flagged and can be logged or blocked via a Sequence Matching rule.
Legitimate User

Normal Shopping Flow

Follows the correct sequence: browse products → add to cart → checkout. All 3 steps enforced by a single WAF rule.

1 · Browse
2 · Add Cart
3 · Checkout
Ready — click Step 1 to start
Bot Behavior

Skip to Checkout

A bot skips browse & add-to-cart and hits checkout directly. The single WAF rule checks previous_ops[0] and [1] to block it.

1 · Browse
2 · Add Cart
3 · Checkout
Ready — click to simulate bot attack
Single-rule enforcement:
Unlike the ticket flow (2 pairwise rules), this flow uses one WAF custom rule that checks exact positions:
POST /api/shop/browse POST /api/shop/add-cart POST /api/shop/checkout
cf.sequence.previous_ops[0] == add-cart AND cf.sequence.previous_ops[1] == browse
This enforces the exact consecutive order — no other requests allowed between steps.