
The purpose of this decision is to prevent the transmission of accidental unencrypted API requests, thus, eliminating the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP connection and redirects it to a secure channel.
“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected. Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established,” – Cloudflare.
Previously, Cloudflare allowed access to its APIs via both HTTP and HTTPS, and its servers either redirected or rejected HTTP connections. But even rejected HTTP requests can cause leaks of sensitive data (e.g. API keys or tokens) before the server responds to such a request.
On public or open Wi-Fi networks, the above-described scenario can entail even more severe consequence since it’s easier to deliver a man-in-the-middle attack there.

By closing HTTP ports, Cloudflare preemptively refuses the underlying connection at the transport layer before any HTTP or application-layer data are exchanged.
The new policy directly affects those using HTTP (i.e. scripts, bots, and tools relying on this protocol will fail). This also applies to legacy systems, automated API clients, IoT devices with limited processing power, and low-level clients who either don’t support HTTPS or don’t switch to it by default due to misconfiguration.
By the end of the year, Cloudflare is expected to launch a free feature enabling users to securely disable HTTP traffic on their side.
According to the company, only some 2.4% of traffic from ‘likely human’ clients passing through its systems uses plaintext HTTP. But together with ‘likely automated’ traffic, this proportion increases to almost 17%.

2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign
According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →