Integrating Approov with Cloudflare WAF, Bot Management & API Shield

Cloudflare is a widely adopted platform for protecting web applications and APIs against malicious traffic, DDoS attacks, and abuse. When combined with Approov Mobile App Protection, you can achieve device-to-cloud security that validates not just API traffic patterns, but also the authenticity and integrity of the mobile app and device making the request.

This guide outlines how to integrate Approov with Cloudflare to achieve stronger protection against:

• API abuse and scraping
• Bot impersonation
• Reverse-engineered or repackaged apps
• Credential stuffing
• Injection of forged API requests

Why Integrate Approov with Cloudflare?

Cloudflare provides powerful perimeter-level defenses, including:

• Web Application Firewall (WAF): Blocks common OWASP threats.
• Bot Management: Detects and blocks known and unknown bots.
• API Shield: Offers schema validation, mTLS, and JWT validation.

However, Cloudflare does not inherently verify if a request comes from a genuine mobile app running in a safe device environment. That’s where Approov strengthens the security stack by:

• Verifying mobile app integrity and environment at runtime
  
• Preventing unauthorized apps and scripts from accessing your API
  
• Enabling token-based attestation for every request
  

Architectural Overview

Here’s how the integrated flow works:

1. The mobile app includes the Approov SDK, which performs runtime attestation.
2. For each API call, the SDK adds a short-lived Approov token to the request header.
3. The API requests are routed through Cloudflare.
4. Cloudflare Workers or API Gateway rules are configured to verify the Approov token using shared secrets.
5. If the token is valid, traffic is passed through; otherwise, it is blocked or challenged.

This layered defense ensures that:

• The app is untampered
• The device is uncompromised
• The request is authentic and non-replayable

Integration Steps

1. Add Approov Token Verification in Cloudflare

Cloudflare Workers support custom logic in the edge. You can use a Worker script to verify the Approov token in real-time using the [HS256] signing secret provided by Approov.

Example flow using Cloudflare Worker:

addEventListener('fetch', event => {

  event.respondWith(handleRequest(event.request))

})

async function handleRequest(request) {

  const token = request.headers.get("Approov-Token")

  if (!token) {

    return new Response("Missing Approov token", { status: 401 })

  }

  const isValid = verifyApproovToken(token)

  if (!isValid) {

    return new Response("Invalid Approov token", { status: 403 })

  }

  return fetch(request)

}

✅ You will need to implement the verifyApproovToken() function using your shared secret. Cloudflare’s built-in JWT libraries or external WASM modules can help.

Alternatively, if using Cloudflare API Gateway or API Shield, JWT validation rules can be configured via dashboard to only allow requests with:

• Valid signature (HS256)
• Non-expired token
• Required claims (e.g., sub, exp, anno, did)

2. Modify Your Approov Security Policy (Optional)

If you use Cloudflare’s bot mitigation, consider relaxing the bot rules for requests that pass Approov attestation.

You can set a custom HTTP header, such as X-Approov-Verified: true, in your Worker after validation. Then use Cloudflare’s rule engine to bypass bot challenges when this header is present.

3. Using Approov with Cloudflare API Shield (JWT Mode)

Cloudflare API Shield natively supports JWT validation:

• Upload your Approov account secret (HS256) as a JWT validation key
  
• Configure token rules:
  
  • exp must be valid

• • Signature must match

• • Optional: require claim did for device ID
• Apply the rule to your API path

This allows Cloudflare to block unverified API calls at the edge, before they ever reach your infrastructure.

Best Practices

• Ensure Approov tokens are short-lived (default: 5 mins) to limit replay attacks.
• Pin API requests using TLS via Approov’s dynamic pinning to prevent MitM attacks.
• Use token binding to tie Approov tokens to user identity or session tokens if needed.
• Monitor Approov metrics and Cloudflare logs for mismatches or anomalies.

---

Example Use Cases

Threat	Cloudflare Alone	With Approov
Repackaged or fake apps	❌	✅
API key abuse or scraping bots	🚫 Partial	✅
Device-level rooting detection	❌	✅
JWT signature validation	✅ (via API Shield)	✅ (app-level token)
Client-side automation	🚫 Partial	✅

Summary

Cloudflare offers an excellent perimeter for protecting APIs, but it cannot attest to the integrity of the mobile app or the device. Integrating Approov ensures that only genuine, untampered, and uncompromised mobile apps can access your backend, dramatically reducing attack surface from mobile-originated threats.

When Approov and Cloudflare are used together, you benefit from:

• Enhanced API abuse prevention
• Strong bot defense
• Dynamic mTLS and JWT validation
• End-to-end zero-trust enforcement from app to backend

Additional Resources

• Approov API Protection Docs
• Cloudflare Workers JWT Library
• Approov Token Validation Guide
• Cloudflare API Shield JWT Configuration