Cloudflare, one of the leading internet services providers worldwide, has announced an immediate change to its API platform: from now on, only encrypted connections via HTTPS will be allowed, and requests over HTTP will be completely blocked. The company has taken this measure to strengthen security and prevent the accidental transmission of credentials over insecure channels.
The decision, which exclusively affects the api.cloudflare.com platform, marks a turning point for developers, scripts, bots, and tools that were still operating under HTTP connections. From this moment on, any attempt to connect via HTTP will receive no response. Cloudflare will not redirect requests to HTTPS, nor will it send a 403 Forbidden code; port 80 will simply stop accepting data, preventing the establishment of connections.
Until now, the platform allowed HTTP requests and automatically redirected them to HTTPS. However, the company has concluded that this mechanism was not secure enough and has decided to completely remove support for HTTP to avoid potential vulnerabilities.
This measure directly impacts developers who use the Cloudflare API to manage DNS configurations, enable or disable features, or add and modify domain names. All of them will need to ensure that their tools, scripts, and automated processes exclusively use HTTPS connections.
Cloudflare has detected that, despite the shift towards secure protocols, around 2.4% of the traffic on its platform is still conducted over HTTP. In the case of automated traffic, this percentage rises to 17%. This figure reflects the persistence of legacy systems, IoT devices, automations, and clients that have not yet adapted to mandatory encryption.
To mitigate potential issues arising from inadequate configurations or outdated systems, Cloudflare has announced that before the end of the year, it will offer a free option aimed at disabling HTTP traffic in a safer and more controlled manner. This solution will be particularly designed for environments that depend on low-level devices or systems that do not support HTTPS by default.
With this measure, Cloudflare reinforces its commitment to security and encourages the entire developer ecosystem to adopt more robust and responsible practices in managing sensitive data and API connections.