The purpose of this decision is to prevent the transmission of accidental unencrypted API requests, thus, eliminating the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP connection and redirects it to a secure channel.
“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected. Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established,” – Cloudflare.
Previously, Cloudflare allowed access to its APIs via both HTTP and HTTPS, and its servers either redirected or rejected HTTP connections. But even rejected HTTP requests can cause leaks of sensitive data (e.g. API keys or tokens) before the server responds to such a request.
On public or open Wi-Fi networks, the above-described scenario can entail even more severe consequence since it’s easier to deliver a man-in-the-middle attack there.
By closing HTTP ports, Cloudflare preemptively refuses the underlying connection at the transport layer before any HTTP or application-layer data are exchanged.
The new policy directly affects those using HTTP (i.e. scripts, bots, and tools relying on this protocol will fail). This also applies to legacy systems, automated API clients, IoT devices with limited processing power, and low-level clients who either don’t support HTTPS or don’t switch to it by default due to misconfiguration.
By the end of the year, Cloudflare is expected to launch a free feature enabling users to securely disable HTTP traffic on their side.
According to the company, only some 2.4% of traffic from ‘likely human’ clients passing through its systems uses plaintext HTTP. But together with ‘likely automated’ traffic, this proportion increases to almost 17%.