115/68 Tuesday, March 25, 2025
Cloudflare, a leading network and security provider, has officially disabled all HTTP connections to api.cloudflare[.]com, enforcing HTTPS-only access to improve data security. This move aims to eliminate the risk of sensitive data exposure—such as API keys or tokens—over unsecured channels, especially on public networks vulnerable to Man-in-the-Middle (MitM) attacks. While Cloudflare previously rejected or redirected HTTP requests, potential loopholes remained. By fully disabling HTTP at the Transport Layer, the company ensures that unencrypted connections are blocked entirely from the outset.
This change has an immediate impact on users who continue to access Cloudflare’s API via HTTP. Scripts, bots, or automated tools that rely on HTTP—particularly those used by legacy systems, IoT devices, or clients not configured for HTTPS by default—will stop functioning. Cloudflare noted that while only 2.4% of general traffic used HTTP, the number spiked to 17% for automated traffic. Users are encouraged to check their Dashboard > Analytics & Logs > SSL Traffic section to assess the potential impact. Additionally, Cloudflare announced plans to roll out a secure HTTP disablement option for free-tier websites by the end of the year.
The Cloudflare API is a critical tool for developers and system administrators managing DNS, firewall rules, DDoS protection, SSL settings, and other services. Previously, the API accepted both HTTP and HTTPS requests—responding with redirects or a 403 Forbidden status for insecure attempts. Now, Cloudflare permanently blocks HTTP requests with no response, enforcing HTTPS from the start. This policy aligns with modern security practices, aiming to eliminate risks from outdated encryption protocols and reflecting Cloudflare’s commitment to protecting user data at the most fundamental level of connectivity.
