Cloudflare recently announced it has completely disabled unencrypted HTTP connections to its API endpoint (api.cloudflare.com). The company now exclusively accepts secure HTTPS connections, significantly strengthening protection against sensitive data exposure.
Previously, Cloudflare permitted API requests via both HTTP and HTTPS. Non-secure HTTP requests were either redirected or rejected with a 403 Forbidden response. However, even brief unencrypted interactions risked exposing critical data like API tokens or keys, especially over insecure networks.
Closing the Door on Plaintext API Requests
As of Thursday’s announcement, Cloudflare fully rejects unencrypted API connections. Instead of returning errors, the service blocks the HTTP protocol outright at the transport level, ensuring data security before any exchange can occur.
Cloudflare emphasizes that developers should no longer anticipate receiving a 403 Forbidden message for unencrypted requests. Instead, the connection simply won’t be established unless secured through HTTPS from the beginning.
Risks of Allowing Unencrypted Connections
Allowing unencrypted HTTP traffic poses substantial security threats, especially on public Wi-Fi or shared networks where attackers can easily intercept plaintext data. Sensitive information—including API keys, credentials, and tokens—could potentially be exposed before the API rejects the insecure request.
Cloudflare’s decision to enforce HTTPS-only access eliminates this vulnerability entirely, proactively protecting users from potential adversary-in-the-middle attacks.
Immediate Impact and Necessary Adjustments
This security enhancement immediately impacts any system or tool using HTTP for Cloudflare’s API. Legacy scripts, bots, automated services, and improperly configured IoT devices relying on HTTP will no longer function correctly.
Cloudflare encourages administrators and developers to immediately verify their systems’ compatibility with HTTPS and update them accordingly. Those affected must transition quickly to HTTPS-supported configurations to maintain uninterrupted access to the API.
Upcoming Tools and HTTPS Adoption
Cloudflare’s analysis indicates that approximately 2.4% of global traffic still uses HTTP, while automated traffic pushes that percentage as high as 17%. Recognizing this, Cloudflare plans to introduce a free tool later this year, enabling safer transitions by smoothly disabling HTTP for customer websites.
Customers can already monitor the volume of their HTTP versus HTTPS traffic via Cloudflare’s dashboard under “Analytics & Logs > Traffic Served Over SSL.” This monitoring will help organizations better prepare for the eventual shift toward mandatory secure connections.
By enforcing strict HTTPS access, Cloudflare sets a robust security standard, encouraging the global community to follow suit in adopting secure-by-default best practices.
