Configure mTLS
When you specify API hosts in mTLS authentication, Cloudflare will block all requests that do not have a certificate for mTLS authentication.
Prerequisites
Before you can protect your API or web application with mTLS rules, you need to:
- Check that the certificate installed on your origin server matches the hostname of the client certificate, for example
api.example.com
. Origin server wildcard certificates such as*.example.com
are not supported. - Create a client certificate.
- Configure your mobile app or IoT device to use your Cloudflare-issued client certificate.
- Enable mutual Transport Layer Security (mTLS) for a host in your zone.
Create an mTLS rule
To create an mTLS rule in the Cloudflare dashboard, follow these steps:
Log in to your Cloudflare account and select your application.
Go to Security > Firewall rules.
Click Create a mTLS rule.
Enter the following information:
- Rule name: A descriptive identifier for your mTLS rule.
- Hostname: The mTLS-enabled hostnames to protect, only showing hosts in your application with mTLS enabled.
By default, your rule will have a configuration similar to the following:
Expression Action (http.host in {"api.example.com"} and not cf.tls_client_auth.cert_verified)
Block To make this rule active, click Deploy. To add additional firewall logic — such as checking for revoked certificates — click Use firewall rule builder.
Once you have deployed your mTLS rule, any requests without a Cloudflare-issued client certificate will be blocked.
Expression Builder
To review your mTLS rule in the firewall rules Expression Builder, click the wrench icon associated with your rule.
In the Expression Preview, your mTLS rule includes a compound expression formed from two simple expressions joined by the and
operator.
The first expression uses the http.host
field, combined with the in
operator, to capture the hosts your mTLS rule applies to.
The second expression — not cf.tls_client_auth.cert_verified
— returns true
when a request to access your API or web application does not present a valid client certificate.
Because the action for your rule is Block, only requests that present a valid client certificate can access the specified hosts.
Check for revoked certificates
To check for revoked client certificates, you can either add a new mTLS rule or add a new expression to the default rule.
When a request includes a revoked certificate, the cf.tls_client_auth.cert_revoked
field is set to true
. If you combined this with the default mTLS rule, it would look similar to the following:
(http.host in {"api.theburritobot.com"}) and (not cf.tls_client_auth.cert_verified or cf.tls_client_auth.cert_revoked)