Cloudflare to block all unencrypted traffic to its APIs

📟 News

Date: 26/03/2025

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed.

The purpose of this decision is to prevent the transmission of accidental unencrypted API requests, thus, eliminating the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP connection and redirects it to a secure channel.

“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected. Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established,” – Cloudflare.

Previously, Cloudflare allowed access to its APIs via both HTTP and HTTPS, and its servers either redirected or rejected HTTP connections. But even rejected HTTP requests can cause leaks of sensitive data (e.g. API keys or tokens) before the server responds to such a request.

On public or open Wi-Fi networks, the above-described scenario can entail even more severe consequence since it’s easier to deliver a man-in-the-middle attack there.

By closing HTTP ports, Cloudflare preemptively refuses the underlying connection at the transport layer before any HTTP or application-layer data are exchanged.

The new policy directly affects those using HTTP (i.e. scripts, bots, and tools relying on this protocol will fail). This also applies to legacy systems, automated API clients, IoT devices with limited processing power, and low-level clients who either don’t support HTTPS or don’t switch to it by default due to misconfiguration.

By the end of the year, Cloudflare is expected to launch a free feature enabling users to securely disable HTTP traffic on their side.

According to the company, only some 2.4% of traffic from ‘likely human’ clients passing through its systems uses plaintext HTTP. But together with ‘likely automated’ traffic, this proportion increases to almost 17%.

Related posts:
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet

All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic

Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…

Full article →