Cloudflare Docs
API Shield
Visit API Shield on GitHub
Set theme to dark (⇧+D)

Configure mTLS

When you specify API hosts in mTLS authentication, Cloudflare will block all requests that do not have a client certificate for mTLS authentication.

​​ Prerequisites

Before you can protect your API or web application with mTLS rules, you need to:

​​ Create an mTLS rule

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. Go to SSL/TLS > Client Certificates.

  3. Select Create a mTLS rule.

With the migration of Firewall Rules to WAF Custom Rules, the following steps vary depending on your zone status in the migration.

  1. In Custom rules, select Create rule

  2. Enter the following information:

    • Rule name: A descriptive identifier for your mTLS rule.
    • Field: Hostname
    • Operator: is in
    • Value: The mTLS-enabled hostnames to protect.
  3. Select And and enter the following:

    • Field: Client Certificate Verified
  4. Make sure the second expression Value is negative, resulting in an Expression Preview as the following.

    ( in {""} and not cf.tls_client_auth.cert_verified)
  5. In Choose action, select Block.

  6. Select Deploy to make the rule active.

  1. Enter the following information:

    • Rule name: A descriptive identifier for your mTLS rule.
    • Hostname: The mTLS-enabled hostnames to protect, only showing hosts in your application with mTLS enabled.
  2. By default, your rule will have a configuration similar to the following:

    Expression Action
    ( in {""} and not cf.tls_client_auth.cert_verified) Block
  3. To make this rule active, select Deploy. To add additional firewall logic — such as checking for revoked certificates — select Use firewall rule builder.

Once you have deployed your mTLS rule, any requests without a valid client certificate will be blocked.

​​ Expression Builder

To review your mTLS rule in the firewall rules Expression Builder, click the wrench icon associated with your rule.

In the Expression Preview, your mTLS rule includes a compound expression formed from two simple expressions joined by the and operator.

The first expression uses the field, combined with the is in operator, to capture the hosts your mTLS rule applies to.

The second expression — not cf.tls_client_auth.cert_verified — returns true when a request to access your API or web application does not present a valid client certificate.

Because the action for your rule is Block, only requests that present a valid client certificate can access the specified hosts.

​​ Check for revoked certificates

To check for revoked client certificates, you can either add a new mTLS rule or add a new expression to the default rule.

When a request includes a revoked certificate, the cf.tls_client_auth.cert_revoked field is set to true. If you combined this with the default mTLS rule, it would look similar to the following:

( in {""}) and (not cf.tls_client_auth.cert_verified or cf.tls_client_auth.cert_revoked)