API Shield & Page Shield — Findings & Recommendations
April 2026 · Cloudflare Solutions Engineering
API Discovery
Scale of UWA's attack surface
Schema Validation
The gap — and the quick win
Risk Signals & Errors
What Cloudflare is flagging
Session Identifiers
Root cause & how to fix it
Page Shield
Client-side scripts, connections & cookies
Recommended Actions
Prioritised next steps across both products
A large, complex API surface — partially mapped, not yet protected
2,468
Endpoints Discovered
via Machine Learning
950
Needs Review
Not yet saved or ignored
1,489
Saved & Monitored
In Endpoint Management
78
Hostnames in Scope
Across UWA subdomains
What's working
ML automatically discovered endpoints — no manual inventory needed
Auto-labelling is classifying cf-api-endpoint vs cf-web-page
1,489 endpoints actively generating performance & security metrics
Action needed
950 endpoints in "Needs Review" — undiscovered risk until saved
Priority: save all cf-api-endpoint labelled ones first
Key example: POST /Calculator/GetUnitsForMajor on fees.uwa.edu.au
2,348
Total Endpoints
in Schema Validation
2,348
No Validation Applied
100% unprotected
1,168
Learned Schemas Ready
One click to apply
Current state
Default action is None — not logging, not blocking
"No schema" means validation is completely silent
Non-compliant API requests pass through unchallenged
No data in Security Events from schema rules
The quick win
Cloudflare has already learned schemas from 1,168 endpoints
Change default action to Log — zero disruption, instant visibility
Apply learned schemas in bulk by hostname
Review events for 48–72hrs, then move to Block
Cloudflare Risk Labels Detected
cf-risk-errors-anomaly
Error rate significantly above baseline — possible broken or deprecated endpoint
cf-risk-missing-auth
No authentication identifiers found on requests to this endpoint
cf-risk-missing-schema
No schema applied — requests not being validated at all
cf-risk-mixed-auth
Some requests authenticated, some not — potential unauthorised access
Error Rates Requiring Attention
90.7%
HEAD endpoint — www.uwa.edu.au
Critical — labelled errors-anomaly. Investigate immediately.
49.3%
HEAD endpoint
22.1%
HEAD endpoint
5.03%
GET endpoint
↑ 72.67% trend
1.68%
GET endpoint
↑ 45.93% trend
The root cause behind low confidence, blind analytics, and 0% auth coverage
UWA's current state: 638,200 requests with no identifier · only 351 matched the Authorization header = 0.05% session coverage
Rate Limiting
Without session IDs, Cloudflare can only recommend IP-based rate limits — coarse and easy to evade. With sessions: per-user, per-endpoint precision.
Low confidence
current status
Sequence Analytics
Cannot correlate API calls into sessions. Cloudflare can't detect attack sequences (e.g. enumerate → extract → exfiltrate) without knowing who is making each request.
Blind
current status
Auth Posture
Authentication Posture shows 0% — not because UWA has no auth, but because the wrong identifier is configured. Can't detect unauthenticated access to protected endpoints.
0% coverage
current status
Fixing the session identifier is the single highest-leverage action available — it unlocks rate limiting confidence, Sequence Analytics, Authentication Posture, and Sequence Mitigation simultaneously.
Cookie
Cookie: JSESSIONID=abc123
A named session cookie that uniquely identifies the user's session. Must comply with RFC 6265. Common in traditional web apps and student portals.
Best if UWA uses cookie-based auth (e.g. LMS, student portal)
HTTP Header
Authorization: Bearer <token>
X-Auth-Token: <value>
Any HTTP request header that carries a unique session value. The Authorization header is configured today but only used in 0.05% of requests — UWA likely uses a different header.
Ask dev team: what header do API clients send?
JWT Claim
JWT claim: sub / email / user_id
If UWA uses JSON Web Tokens, a stable claim inside the JWT (like sub or email) can be used. The JWT value changes over time, but the claim inside stays constant.
Requires JWT Validation to be configured first
Action for UWA
Step 1: Ask the dev team — "What header or cookie uniquely identifies a logged-in API session?"
Step 2: Configure it in API Shield Settings → Manage identifiers (cookie, header, or JWT claim)
Step 3: Allow 24 hours for Cloudflare to rebuild per-session metrics & rate limit recommendations
Prioritised steps to activate full API Shield protection
1
Investigate the 90.7% error rate endpoint
HEAD www.uwa.edu.au — check if deprecated or under attack. Check origin logs.
2
Identify & configure the correct session identifier
Consult dev team. Configure cookie, header, or JWT claim in API Shield Settings.
3
Change schema validation default action to Log
Zero disruption. Instant visibility into non-compliant requests. Security → API Shield → Settings.
4
Apply learned schemas to 1,168 ready endpoints
Use "Apply learned schema" per hostname. Review events for 48–72hrs, then move to Block.
5
Triage 950 "Needs Review" endpoints
Filter by cf-api-endpoint label. Save API endpoints, ignore static web pages.
6
Review cf-risk-mixed-auth endpoints with dev team
Endpoints with mixed auth may allow unauthenticated access. Validate intended behaviour.
7
Deploy fallthrough WAF rule
Catch requests to endpoints not in Endpoint Management. Protects against zombie/legacy APIs.
This Week
1. Identify session identifier
Action: UWA dev team confirms the correct header/cookie used for API sessions
2. Investigate high error rate endpoints
Action: Review origin logs for the 90.7% error endpoint. Determine if deprecation or active issue.
3. Enable schema validation logging
Action: Cloudflare SE sets default action to Log and applies learned schemas to one hostname
Next 2–4 Weeks
4. Apply schemas across all hostnames
After review period, move to Block on highest-risk endpoints first
5. Triage & save remaining 950 endpoints
Complete Endpoint Management coverage across all discovered assets
6. Deploy fallthrough rule & review mixed-auth
Protect undiscovered endpoints. Validate auth posture on mixed-auth endpoints.
Ongoing: Once session IDs are configured, revisit rate limit recommendations — they will rebuild with high confidence within 24–48 hours.
Client-side security — scripts, connections & cookies running in your users' browsers
The threat: supply chain attacks
UWA's web pages load JavaScript from dozens of third-party providers. If any one of those providers is compromised, attackers can silently inject malicious code into UWA's pages — stealing student credentials, financial data, and personal information directly from the browser. The university never touches the attacker's code; it arrives via a trusted third party.
What Page Shield does
Automatically inventories every script, connection & cookie running on your pages
Detects malicious scripts using ML & Cloudflare threat intelligence
Alerts when a known-good script suddenly changes (tamper detection)
Enforces a Content Security Policy allowlist — blocks unauthorised scripts at the browser level
Surfaces privacy/compliance risks from third-party trackers and advertising pixels
UWA's client-side exposure — at a glance
1,039
Scripts Detected
across uwa.edu.au
236
Third-Party Connections
in last 7 days
2,366
Cookies Detected
many unaudited or unclassified
Real-world impact: The 2020 British Airways attack — a supply chain compromise via a third-party script — resulted in a £20M fine and 500,000 customer records stolen. UWA's current posture has no mechanism to detect or block this type of attack.
What's running on UWA pages
Critical finding: Admin script on student pages
printerface.uniprint.uwa.edu.au/js/admin/ui/admin.js
An admin-level JavaScript file from UWA's print management system (UniPrint) is loading on student-facing pages. If this system is compromised, the attacker inherits admin-level script execution in student sessions.
Outdated library: Bootstrap 3.0.0 (2013)
printerface.uniprint.uwa.edu.au/js/bootstrap-3.0.0.min.js
Bootstrap 3.0.0 is over 10 years old and carries multiple known CVEs. Loading this from an external subdomain increases supply chain risk.
70 pages of scripts — no visibility into changes
1,039 scripts across UWA's estate. Without Page Shield Advanced, there is no alert if any of these scripts are silently modified by an attacker.
What Page Shield provides
Code change detection
Alerts the moment a script's code changes — catching supply chain compromises in real time, before students are affected.
Malicious script detection
ML + Cloudflare threat intelligence continuously classifies all 1,039 scripts. Malicious scripts surface at the top of the list automatically.
Content security rules (allowlist)
Define which scripts are permitted. Any script not on the allowlist is blocked at the browser — even if it was injected via a third-party compromise.
New script alerts
Instant notification when a script appears on UWA pages for the first time — detecting unauthorised additions before they cause harm.
Advertising & tracking pixels on student pages
pixels.spotify.com
Advertising pixelSpotify tracking pixel active on course detail & handbook pages — student browsing behaviour sent to Spotify
tr6.snapchat.com & tr.snapchat.com
Advertising pixelSnapchat advertising pixels on course pages — collecting student data for ad targeting
analytics.tiktok.com
Advertising pixelTikTok pixel on course detail pages — potential ESOS Act & privacy compliance concern
ad.doubleclick.net
Ad networkGoogle DoubleClick ad network connection on course pages
k.clarity.ms & d.clarity.ms
Session recordingMicrosoft Clarity captures keystrokes & mouse movements — high privacy sensitivity on student pages
Why this matters
Privacy & compliance risk
Social media advertising pixels (Snapchat, TikTok, Spotify) on pages where students browse their courses and handbooks raises serious questions under the Australian Privacy Act, ESOS Act, and UWA's own data governance obligations. Students have not consented to having their academic browsing shared with advertising platforms.
236 connections = 236 potential attack vectors
Every third-party connection is a dependency. If any of these services is compromised — Spotify, Snapchat, Sitecore, Clarity — that compromise can propagate directly into UWA's student-facing pages.
Page Shield: malicious connection detection
Automatically classifies all 236 connections against threat feeds. Alerts when a connection destination becomes malicious — even if the script itself hasn't changed.
Notable findings
Shopify cookie on www.uwa.edu.au
_shopify_y · www.uwa.edu.au/Theme-SXA/dist/masterbrand/main.js
A Shopify session cookie is being set on UWA's main domain via the Sitecore theme. This creates a direct Shopify supply chain dependency on www.uwa.edu.au. If Shopify or the Sitecore theme is compromised, this cookie and its session data are at risk.
Google Ads attribution cookies
Multiple Google advertising attribution cookies are present: _gcl_aw, _gcl_dc, FPGCLGS, FPGCLAW, first_click_attr_gtm_dd_sep_gclid. These track student advertising journeys — their presence on academic and enrolment pages requires careful privacy review.
Microsoft Clarity session key
_clsk · Microsoft Clarity session recording
Clarity records user sessions including keystrokes. The associated cookie identifies students across their browsing session — a significant data collection footprint for an educational institution.
2,366
Total Cookies
158 pages — the vast majority unaudited
The compliance risk
2,366 cookies with no systematic classification means UWA cannot answer basic questions required for privacy compliance: Which cookies are session vs persistent? Which are set by third parties? Which carry student PII? Which lack HTTPOnly or Secure flags?
Page Shield Advanced: cookie intelligence
Classifies all cookies by type, origin, and security attributes
Flags cookies missing HTTPOnly, Secure, or SameSite flags
Identifies cookies set by third parties without UWA's knowledge
Provides the inventory needed for a compliant cookie consent policy
Immediate
1
Investigate admin/ui/admin.js on student pages
Confirm whether printerface.uniprint.uwa.edu.au/js/admin/ui/admin.js is intentionally loaded. If not, remove immediately.
2
Privacy review of advertising pixels
Legal/compliance review of Snapchat, TikTok, Spotify, DoubleClick pixels on student-facing pages. Confirm consent basis and ESOS Act obligations.
3
Review Shopify cookie on www.uwa.edu.au
Confirm whether the Sitecore theme Shopify integration is intentional and assess the supply chain dependency.
Near Term
4
Enable code change detection & alerts
Page Shield Advanced alerts the moment any of the 1,039 scripts changes — the primary defence against supply chain attacks.
5
Build a script allowlist via content security rules
Audit the 1,039 scripts, approve legitimate ones, and enforce a CSP allowlist. Unauthorised scripts are blocked at the browser.
6
Cookie audit & consent policy alignment
Use Page Shield cookie intelligence to produce a full cookie inventory. Align with UWA's privacy statement and cookie consent banner.
7
Upgrade Bootstrap 3.0.0 on print system
Work with UniPrint/IT to update the outdated Bootstrap library and review all scripts loaded from printerface.uniprint.uwa.edu.au.