
The purpose of this decision is to prevent the transmission of accidental unencrypted API requests, thus, eliminating the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP connection and redirects it to a secure channel.
“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected. Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established,” – Cloudflare.
Previously, Cloudflare allowed access to its APIs via both HTTP and HTTPS, and its servers either redirected or rejected HTTP connections. But even rejected HTTP requests can cause leaks of sensitive data (e.g. API keys or tokens) before the server responds to such a request.
On public or open Wi-Fi networks, the above-described scenario can entail even more severe consequence since it’s easier to deliver a man-in-the-middle attack there.

By closing HTTP ports, Cloudflare preemptively refuses the underlying connection at the transport layer before any HTTP or application-layer data are exchanged.
The new policy directly affects those using HTTP (i.e. scripts, bots, and tools relying on this protocol will fail). This also applies to legacy systems, automated API clients, IoT devices with limited processing power, and low-level clients who either don’t support HTTPS or don’t switch to it by default due to misconfiguration.
By the end of the year, Cloudflare is expected to launch a free feature enabling users to securely disable HTTP traffic on their side.
According to the company, only some 2.4% of traffic from ‘likely human’ clients passing through its systems uses plaintext HTTP. But together with ‘likely automated’ traffic, this proportion increases to almost 17%.

2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →