Cloudflare has officially announced that it will no longer accept HTTP connections for its API services.
From now on, only secure HTTPS connections will be allowed for api.cloudflare.com. This change ensures that all unencrypted API requests are entirely blocked, eliminating any risk of exposing sensitive information in cleartext traffic before establishing a secure connection.
Previously, Cloudflare systems would either reject or redirect HTTP requests to HTTPS. However, even rejected HTTP requests could still leak sensitive data, such as API keys or tokens before the server processed the request. This risk is especially high on public or shared networks where attackers can intercept unencrypted traffic. By shutting down HTTP access at the transport layer, Cloudflare is preventing such security risks before they even occur.
This update will immediately impact developers, system administrators, and automated clients who were still using HTTP connections for Cloudflare API services. Scripts, bots, and legacy systems that are not configured to use HTTPS will stop working. Additionally, IoT devices and older systems that do not default to HTTPS will also be affected. Cloudflare is advising all users to update their configurations to ensure their API requests are encrypted.
Cloudflare’s API is widely used for managing DNS records, firewall settings, DDoS protection, SSL configurations, and more. By enforcing HTTPS-only connections, Cloudflare is strengthening the security of its services and protecting users from potential data exposure. The company has also announced that later this year, it will introduce an option for website owners to safely disable HTTP traffic for their sites.
Currently, about 2.4% of all internet traffic passing through Cloudflare’s network still relies on HTTP, and this number jumps to nearly 17% when accounting for automated traffic. Customers can monitor their HTTP vs HTTPS traffic in their Cloudflare dashboard under the Analytics & Logs section before making any necessary adjustments.
