Whitepaper: 2024 API Security & Management Report
The Internet is an endless flow of conversations between computers. These conversations often take place using application programming interfaces (APIs), which allow us to interact with software and apps in new ways. For instance, OpenAI’s ChatGPT API enables Slack to streamline chat-based workflows, and Booking.com to deliver more personalized trip planning experiences.
Today, APIs outpace other Internet traffic, comprising more than half (57%) of the dynamic Internet traffic processed by Cloudflare1 last year.
However, as explored in this 2023 API Security and Management Report, APIs are increasingly complex to manage and protect against abuse.
For instance, many organizations lack accurate information on their APIs. Cloudflare found 30.7% more API endpoints through machine learning-based discovery, compared to what organizations self-reported.
Unfortunately, organizations cannot properly defend what they cannot see.
Those that implement API security without an accurate, real-time picture of their API landscape can unintentionally block legitimate traffic.
Take the “too many requests” (429) error code — the #1 API client error category Cloudflare mitigated in 2023. A 429 code does not automatically mean too many requests from an attacker. If the rate limits responsible for the errors were originally put in place due to a Distributed Denial of Service (DDoS) attack, for example, imposing overly broad, incorrect rate limits can still block legitimate users. (Of note, DDoS protection was the #1 API mitigation method for Cloudflare customers).
The goal of this report is to provide a valuable benchmark for organizations to holistically assess the health of their API endpoint management. After all, API security must also incorporate data to manage visibility, performance, and risks.
Methodology
The findings in this report are based on aggregated traffic patterns observed by Cloudflare’s global network (including Cloudflare’s web application firewall, DDoS protection, bot management, and API gateway services) between Oct. 1, 2022 and Aug. 31, 2023. Cloudflare serves over 50 million HTTP requests per second on average, and blocks an average of 170 billion cyber threats each day.