Cloudflare spent its 10th-birthday week rolling out free products for customers including one that tackles API security and another that CEO Matthew Prince calls a “privacy first” alternative to Google Analytics.

“Every year on our birthday, we give back with a series of product announcements that aren’t just about how do we make more money, or sell more things to our customers,” Prince said. “But what are some of the things that we can do that make the internet as a whole better.”

In 2011, this included automatic support for IPv6. Three years later Cloudflare released Universal SSL and gave all of its customers SSL certificates. This made it free for them to move from http to https, and it massively increased the size of the encrypted web from less than 50% in 2014 to more than 90% today, Prince said. “It was pretty astonishing, when we launched that we actually doubled the size of the encrypted web in a single day.”

This year, API Shield is one of those make-the-internet-better gifts. This product makes it simpler to secure APIs by using strong client certificate-based identity and strict schema-based validation.

Cloudflare is one of the biggest network providers in the world and it processes about 20 million internet requests per second for its customers, Prince said. “About half of the requests that we see, so nearly 10 million requests per second, aren’t going to a traditional website,” he added. “They’re going to some API that’s behind the scenes.”

API Shield, as the name suggests, secures these behind-the-scenes APIs for organizations of all sizes, “and at no cost for anyone who is using Cloudflare’s network,” Prince said. “There are really two components to it.”

The first is mutual TLS authentication to create a “positive security” model for APIs that only allows known behaviors and identities to talk to those APIs and isn’t vulnerable to reuse or sharing of passwords. API Shield adds a layer of authentication to ensure that only known devices can communicate with an API.

“So an example would be that if you’re building an IoT device, and you wanted that IoT device to call back your API, you can embed the public-private key pair in the device itself,” Prince said. “And then if something that wasn’t that device tries to talk to your API, it would fail at the authentication level out at Cloudflare’s edge.”

The second part of API Shield involves schema validation on the APIs. This matches the contents of the API requests against the “schema,” which contains rules for what is expected. If this validation fails, the API call is blocked, which can protect customers from things like SQL injection attacks, Prince said.

“And this also works with all of our existing products,” he added. “So if I’m developing [an API], maybe I need some ability to do rate limiting. We have our rate limiting service. We also have our web application firewall service. All of these come together to build a very robust system to make it so that if you’re developing an API, it really is just a no-brainer to make sure that API is behind Cloudflare so that we can provide this protection.”