Cloudflare now blocks all unencrypted traffic to its API endpoints

Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com.

The move prevents unencrypted API requests from being sent, even accidentally, to eliminate the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP connection and redirects to a secure communication channel.

“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected,” reads Cloudflare’s announcement on Thursday.

“Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection from being established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established” - the internet services company added.

The Cloudflare API helps developers and system administrators to automate and manage Cloudflare services. It is used for DNS records management, firewall configuration, DDoS protection, caching, SSL settings, infrastructure deployment, accessing analytics data, and managing zero-trust access and security policies.

Previously, Cloudflare systems allowed API access over both HTTP (unencrypted) and HTTPS (encrypted), either by redirecting or rejecting HTTP.

However, as the company explains, even rejected HTTP requests may leak sensitive data like API keys or tokens before the server responds.

Such a sceario is more dangerous when the connection is over public or shared Wi-Fi networks where adversary-in-the-middle attacks are easier to pull off.

By disabling HTTP ports entirely for API access, Cloudflare blocks plaintext connections at the transport layer before any data is exchanged, enforcing HTTPS from the start.

Impact and next steps

The change immediately affects anyone using HTTP on the Cloudflare API service. Scripts, bots, and tools relying on the protocol will break.

The same applies to legacy systems and automated clients, IoT devices, and low-level clients that don’t support or don’t default to HTTPS due to improper configuration.

For customers with websites on Cloudflare, the company prepares to release a free option towards the end of the year that will disable HTTP traffic in a safe way.

Cloudflare data indicates that a small but significant percentage of roughly 2.4% of all internet passing through its systems is still done over the insecure HTTP protocol. When automated traffic is taken into account, the HTTP share jumps to nearly 17%.

Customers can track HTTP vs HTTPS traffic on their dashboard under Analytics & Logs > Traffic Served Over SSL before opting in, to estimate the impact it will have on their environment.