Cloudflare started as a CDN that quickly became popular among developers due to its efficiency in delivering customer facing Internet content from a closer location to the end user than the real location of the backend server. Here is how to integrate Approov token checking into it.
Nowadays Cloudflare can also be used at scale as a reverse proxy and API Gateway for any API backend because they sit between the client and the API server backend. This enables all kinds of possibilities without the need to modify the API code itself by leveraging Cloudflare workers. In fact this was the approach taken by one of our customers, Scoffable, covered in the blog post Securing your API Server with Approov and Cloudflare.
The integration of Approov in your API served by Cloudflare, via the Approov Cloudflare Worker, was built from a fork of the Scoffable repo, and will ensure that your API can only be accessed by genuine instances of your mobile app. Scripts and bots will be blocked. This is achieved by adding the Approov SDK to your mobile app, and does not require you to change a single line of code in the API server itself. Implementing the Approov Token check in your API routed through Cloudflare couldn’t be easier because the token is a regular signed JWT. All you need is to use the Approov Token Worker to check the expiration time and verify the signature with the secret only known by the Approov Token Worker at Cloudflare and the Approov cloud service.
To enhance the protection of your API further, you can secure each request by using instead the Approov Token Binding Worker for Cloudflare. This allows you to additionally check the binding of a header in the request with the Approov token itself, for example the user authentication header.
Please follow this Quickstart guide to learn how to integrate Approov into your current API routed through Cloudflare.
If you have any questions around why or how to use Approov with Cloudflare, don’t hesitate to contact us.