TechHorizon Consulting

Cloudflare Enforces HTTPS: No More Unencrypted API Traffic

EJ

Mar 25, 2025By Eli Junco

Cloudflare has taken a significant security step by closing all HTTP connections to its API endpoints. As of today, any unencrypted connection to api.cloudflare.com will be completely rejected, ensuring that only secure HTTPS connections are allowed. This move is designed to eliminate the risk of sensitive information being exposed over plaintext traffic, even if only momentarily before redirection.

Why This Change Matters


Previously, Cloudflare's API could be accessed over both HTTP and HTTPS. While HTTP requests were eventually redirected or rejected, the process still posed a risk—unencrypted API keys and tokens could be intercepted, particularly on public or shared Wi-Fi networks where man-in-the-middle attacks are easier to execute. By disabling HTTP ports entirely at the transport layer, Cloudflare ensures that no plaintext data is ever exchanged.

API, application programming interface function and procedure development technology

What the Announcement Says


Cloudflare's recent announcement makes it clear:
“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected. Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established.”

This means that scripts, bots, legacy systems, IoT devices, and other automated clients that rely on HTTP for API access will need to update their configurations to use HTTPS, or risk breaking functionality.

The Impact on Developers and Businesses


For many organizations that use Cloudflare’s API to manage services such as DNS records, firewall configurations, DDoS protection, caching, and SSL settings, this change is critical. Although a small percentage (about 2.4%) of internet traffic passing through Cloudflare is still done over HTTP, when accounting for automated traffic, that number jumps to nearly 17%. These numbers underscore the importance of transitioning to secure connections.

Developers can monitor their HTTP vs. HTTPS traffic through the Cloudflare dashboard under Analytics & Logs > Traffic Served Over SSL, which will help them estimate the impact on their environment and plan the necessary updates.

Secure data transfer with https internet connection protocol, encryption communication, website security concept. 3d illustration web browser with internet link and click hand cursor.

Next Steps and Best Practices


To adapt to this change, consider the following steps:

  • Update Your Scripts and Tools: Ensure that all your automated tools, bots, and API clients are configured to use HTTPS instead of HTTP.
  • Audit Legacy Systems: Verify that any legacy systems or IoT devices that might still be using HTTP are updated or configured to default to HTTPS.
  • Review Cloudflare Analytics: Monitor your traffic to understand the shift and adjust your security protocols accordingly.
  • Stay Informed: Keep an eye on Cloudflare’s announcements for any additional measures or free options they might release to help with the transition.

By enforcing HTTPS at the API level, Cloudflare not only enhances the security of its services but also sets a higher standard for protecting sensitive data across the internet.

 
At TechHorizon Consulting, we understand that staying ahead of evolving cyber threats is essential. We have the knowlage to ensure that your network and digital assets are secure by implementing robust authentication protocols and continuous monitoring. If your organization depends on API services and cloud-based infrastructure, now is the time to verify your configurations and enforce secure communications.

Contact TechHorizon Consulting today to assess your security posture and implement advanced protection strategies against emerging threats.